Vulnerabilites related to navidrome - navidrome
CVE-2025-48948 (GCVE-0-2025-48948)
Vulnerability from cvelistv5
Published
2025-05-30 19:25
Modified
2025-05-30 20:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T20:44:04.673537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T20:44:14.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c 0.56.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T19:25:41.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3"
},
{
"name": "https://github.com/navidrome/navidrome/pull/4096",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/pull/4096"
},
{
"name": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8"
}
],
"source": {
"advisory": "GHSA-f238-rggp-82m3",
"discovery": "UNKNOWN"
},
"title": "Navidrome Transcoding Permission Bypass Vulnerability Report"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48948",
"datePublished": "2025-05-30T19:25:41.422Z",
"dateReserved": "2025-05-28T18:49:07.583Z",
"dateUpdated": "2025-05-30T20:44:14.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27112 (GCVE-0-2025-27112)
Vulnerability from cvelistv5
Published
2025-02-24 18:37
Modified
2025-02-24 19:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27112",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T18:59:48.124056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T19:00:44.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.52.0, \u003c 0.54.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a \"permission denied\" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T18:43:51.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-c3p4-vm8f-386p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-c3p4-vm8f-386p"
},
{
"name": "https://github.com/navidrome/navidrome/commit/287079a9e409fb6b9708ca384d7daa7b5185c1a0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/287079a9e409fb6b9708ca384d7daa7b5185c1a0"
}
],
"source": {
"advisory": "GHSA-c3p4-vm8f-386p",
"discovery": "UNKNOWN"
},
"title": "Navidrome has authentication bypass in Subsonic API with non-existent username"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27112",
"datePublished": "2025-02-24T18:37:14.221Z",
"dateReserved": "2025-02-18T16:44:48.767Z",
"dateUpdated": "2025-02-24T19:00:44.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51442 (GCVE-0-2023-51442)
Vulnerability from cvelistv5
Published
2023-12-21 14:54
Modified
2024-08-02 22:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don't protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:10.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r"
},
{
"name": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.50.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome\u0027s subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key \"not so secret\". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don\u0027t protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-21T14:54:56.848Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r"
},
{
"name": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c"
}
],
"source": {
"advisory": "GHSA-wq59-4q6r-635r",
"discovery": "UNKNOWN"
},
"title": "Authentication bypass vulnerability in navidrome\u0027s subsonic endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51442",
"datePublished": "2023-12-21T14:54:56.848Z",
"dateReserved": "2023-12-19T13:52:41.787Z",
"dateUpdated": "2024-08-02T22:32:10.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32963 (GCVE-0-2024-32963)
Vulnerability from cvelistv5
Published
2024-05-01 06:39
Modified
2024-08-02 02:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:navidrome:navidrome:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"lessThan": "0.52.0",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32963",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T15:00:08.291820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:41.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:27:52.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c 0.52.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T06:39:10.510Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"
}
],
"source": {
"advisory": "GHSA-4jrx-5w4h-3gpm",
"discovery": "UNKNOWN"
},
"title": "Parameter Tampering vulnerability in Navidrome"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32963",
"datePublished": "2024-05-01T06:39:10.510Z",
"dateReserved": "2024-04-22T15:14:59.164Z",
"dateUpdated": "2024-08-02T02:27:52.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48949 (GCVE-0-2025-48949)
Vulnerability from cvelistv5
Published
2025-05-30 19:40
Modified
2025-05-30 20:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48949",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T20:45:23.042714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T20:45:32.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.55.0, \u003c 0.56.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T19:40:51.355Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r"
},
{
"name": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6"
}
],
"source": {
"advisory": "GHSA-5wgp-vjxm-3x2r",
"discovery": "UNKNOWN"
},
"title": "Navidrome allows SQL Injection via role parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48949",
"datePublished": "2025-05-30T19:40:51.355Z",
"dateReserved": "2025-05-28T18:49:07.584Z",
"dateUpdated": "2025-05-30T20:45:32.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23857 (GCVE-0-2022-23857)
Vulnerability from cvelistv5
Published
2022-01-24 01:56
Modified
2024-08-03 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.119Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users\u0027 encrypted passwords)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-24T01:56:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d"
}
],
"x_ConverterErrors": {
"cvssV3_1": {
"error": "CVSSV3_1 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23857",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users\u0027 encrypted passwords)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/A:N/C:H/I:N/PR:L/S:U/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5",
"refsource": "MISC",
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5"
},
{
"name": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d",
"refsource": "MISC",
"url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23857",
"datePublished": "2022-01-24T01:56:34",
"dateReserved": "2022-01-24T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56362 (GCVE-0-2024-56362)
Vulnerability from cvelistv5
Published
2024-12-23 17:19
Modified
2024-12-24 01:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Summary
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56362",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T01:35:10.350827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T01:35:29.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c 0.54.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-23T17:19:51.108Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8"
},
{
"name": "https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff"
},
{
"name": "https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1"
}
],
"source": {
"advisory": "GHSA-xwx7-p63r-2rj8",
"discovery": "UNKNOWN"
},
"title": "Navidrome Stores JWT Secret in Plaintext in navidrome.db"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56362",
"datePublished": "2024-12-23T17:19:51.108Z",
"dateReserved": "2024-12-20T17:34:56.867Z",
"dateUpdated": "2024-12-24T01:35:29.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47062 (GCVE-0-2024-47062)
Vulnerability from cvelistv5
Published
2024-09-20 19:01
Modified
2024-09-20 19:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:navidrome:navidrome:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "0.53.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47062",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T19:16:46.543650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:17:55.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "navidrome",
"vendor": "navidrome",
"versions": [
{
"status": "affected",
"version": "\u003c 0.53.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter\u0027s name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE \u0027AAA%\u0027`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:01:09.547Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6"
}
],
"source": {
"advisory": "GHSA-58vj-cv5w-v4v6",
"discovery": "UNKNOWN"
},
"title": "Multiple SQL Injections and ORM Leak in navidrome"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47062",
"datePublished": "2024-09-20T19:01:09.547Z",
"dateReserved": "2024-09-17T17:42:37.027Z",
"dateUpdated": "2024-09-20T19:17:55.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-01-24 02:15
Modified
2024-11-21 06:49
Severity ?
Summary
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/navidrome/navidrome/releases/tag/v0.47.5 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/navidrome/navidrome/releases/tag/v0.47.5 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6BC0E5B5-AC3D-45CF-91C5-1B32926512AE",
"versionEndExcluding": "0.47.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users\u0027 encrypted passwords)."
},
{
"lang": "es",
"value": "El archivo model/criteria/criteria.go en Navidrome versiones anteriores a 0.47.5, es vulnerable a ataques de inyecci\u00f3n SQL cuando son procesados listas de reproducci\u00f3n inteligentes dise\u00f1adas. Un usuario autenticado podr\u00eda abusar de esto para extraer datos arbitrarios de la base de datos, incluyendo la tabla de usuarios (que contiene informaci\u00f3n confidencial como las contrase\u00f1as cifradas de usuarios)"
}
],
"id": "CVE-2022-23857",
"lastModified": "2024-11-21T06:49:22.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-24T02:15:06.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.47.5"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-12-21 15:15
Modified
2024-11-21 08:38
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Summary
Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don't protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*",
"matchCriteriaId": "230BD176-20CA-4E61-BD08-AB11F8ACBF0B",
"versionEndExcluding": "0.50.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome\u0027s subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key \"not so secret\". The vulnerability can only be exploited on instances that have never been restarted. Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt` query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or `t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances that don\u0027t protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that endpoint unprotected). This issue has been patched in version 0.50.2.\n"
},
{
"lang": "es",
"value": "Navidrome es un servidor y transmisor de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. Se ha identificado una vulnerabilidad de seguridad en el endpoint subs\u00f3nico de Navidrome, lo que permite omitir la autenticaci\u00f3n. Esta explotaci\u00f3n permite el acceso no autorizado a cualquier cuenta conocida mediante la utilizaci\u00f3n de un token web JSON (JWT) firmado con la clave \"not so secret\". La vulnerabilidad s\u00f3lo se puede explotar en instancias que nunca se han reiniciado. Navidrome admite una extensi\u00f3n del esquema de autenticaci\u00f3n subs\u00f3nica, donde se puede proporcionar un JWT usando un par\u00e1metro de consulta `jwt` en lugar de la contrase\u00f1a tradicional o token y salt (correspondiente a, respectivamente, la consulta `p` o `t` y `s` par\u00e1metros). Esta vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n afecta potencialmente a todas las instancias que no protegen el endpoint subs\u00f3nico `/rest/`, que se espera que sea la mayor\u00eda de las instancias en una implementaci\u00f3n est\u00e1ndar, y tambi\u00e9n la mayor\u00eda de las instancias en la configuraci\u00f3n de proxy inverso (como menciona la documentaci\u00f3n para dejar ese punto final desprotegido). Este problema se solucion\u00f3 en la versi\u00f3n 0.50.2."
}
],
"id": "CVE-2023-51442",
"lastModified": "2024-11-21T08:38:07.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-21T15:15:13.397",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-24 19:15
Modified
2025-02-27 20:24
Severity ?
Summary
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:go:*:*",
"matchCriteriaId": "539CEE37-8539-4175-BAFB-B4B65358B672",
"versionEndExcluding": "0.54.5",
"versionStartIncluding": "0.52.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a \"permission denied\" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue."
},
{
"lang": "es",
"value": "Navidrome es un servidor y transmisor de m\u00fasica de c\u00f3digo abierto basado en la web. A partir de la versi\u00f3n 0.52.0 y antes de la versi\u00f3n 0.54.5, en ciertos endpoints de la API de Subsonic, un fallo en el proceso de verificaci\u00f3n de autenticaci\u00f3n permite a un atacante especificar cualquier nombre de usuario arbitrario que no exista en el sistema, junto con un hash con sal de una contrase\u00f1a vac\u00eda. En estas condiciones, Navidrome trata la solicitud como autenticada, otorgando acceso a varios endpoints de Subsonic sin requerir credenciales v\u00e1lidas. Un atacante puede usar cualquier nombre de usuario inexistente para eludir el sistema de autenticaci\u00f3n y obtener acceso a varios datos de solo lectura en Navidrome, como listas de reproducci\u00f3n de usuarios. Sin embargo, cualquier intento de modificar los datos falla con un error de \"permiso denegado\" debido a permisos insuficientes, lo que limita el impacto a la visualizaci\u00f3n no autorizada de la informaci\u00f3n. La versi\u00f3n 0.54.5 contiene un parche para este problema."
}
],
"id": "CVE-2025-27112",
"lastModified": "2025-02-27T20:24:21.910",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-24T19:15:14.597",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/navidrome/navidrome/commit/287079a9e409fb6b9708ca384d7daa7b5185c1a0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-c3p4-vm8f-386p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}