ghsa-5mrf-j8v6-f45g
Vulnerability from github
Published
2025-11-18 18:24
Modified
2025-11-19 14:22
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
LibreNMS has Weak Password Policy
Details

Summary

A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.

Details

Vulnerable Component: User creation / password definition

The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.

PoC

  1. Log in to the application using an Administrator account.

  2. Navigate to the user management section:

  3. Create a new user account using the password 12345678.

image

  1. The application accepts the weak password without restrictions and creates the account successfully.

image

Impact

Weak password policy vulnerabilities can have severe consequences, including:

  • Increased risk of brute-force and credential stuffing attacks

  • Unauthorized access to user or administrative accounts

  • Privilege escalation through compromised credentials

  • Degradation of the overall security posture of the platform

Mitigation

  • Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).

  • Block the use of commonly known weak passwords (e.g., 12345678, password, admin, qwerty).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-521"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-18T18:24:26Z",
    "nvd_published_at": "2025-11-18T23:15:56Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nA **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as `12345678`. This exposes the platform to brute-force and credential stuffing attacks.\n\n---\n\n## Details\n\n**Vulnerable Component:** User creation / password definition\n\nThe application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.\n\n---\n\n## PoC\n\n1. Log in to the application using an **Administrator** account.\n    \n2. Navigate to the user management section:  \n      \n3. Create a new user account using the password `12345678`.\n    \n\n\u003cimg width=\"1103\" height=\"852\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a20d4226-9f86-46ee-a4e6-45be91bb6b7b\" /\u003e\n\n4. The application accepts the weak password without restrictions and creates the account successfully.\n    \n\u003cimg width=\"1359\" height=\"487\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9bec15bf-b38f-448b-8f98-acca5724e143\" /\u003e\n\n---\n\n## Impact\n\nWeak password policy vulnerabilities can have severe consequences, including:\n\n- Increased risk of brute-force and credential stuffing attacks\n    \n- Unauthorized access to user or administrative accounts\n    \n- Privilege escalation through compromised credentials\n    \n- Degradation of the overall security posture of the platform\n    \n\n---\n\n## Mitigation\n\n- Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).\n    \n- Block the use of commonly known weak passwords (e.g., `12345678`, `password`, `admin`, `qwerty`).",
  "id": "GHSA-5mrf-j8v6-f45g",
  "modified": "2025-11-19T14:22:58Z",
  "published": "2025-11-18T18:24:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65014"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has Weak Password Policy"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.