CVE-2025-27112 Scanner

Navidrome is a popular open source web-based music server and streamer, primarily used by music enthusiasts and developers. Its main purpose is to allow users to access and stream their music collections remotely. The software is widely used by individuals and small organizations who want to host their own music streaming service without relying on third-party services. Navidrome is prized for its user-friendly interface, cross-platform compatibility, and robust streaming capabilities. It's particularly popular among users who value open source solutions and self-hosted software for greater control over their data. The software is maintained by an active community and receives regular updates to enhance functionality and security.

The vulnerability detected in Navidrome pertains to an authentication bypass issue within specific Subsonic API endpoints. This flaw allows attackers to bypass the standard authentication mechanisms by using arbitrary usernames alongside a salted hash of an empty password. Consequently, attackers gain unauthorized access to various read-only sections of the Navidrome application. However, due to insufficient permissions, any attempts to alter data are restricted, ensuring the impact remains limited to unauthorized viewing. The vulnerability is critical as it could expose sensitive data to unauthorized users. A patched version, 0.54.5, addresses this security flaw.

The technical details of the authentication bypass vulnerability involve exploiting a loophole in the Subsonic API authentication process. Attackers can specify any non-existent username with a corresponding salted hash for an empty password. When processed, Navidrome erroneously authenticates the request due to the flawed check process. This allows access to various read-only data endpoints, such as user playlists. Despite the successful authentication bypass, modifying data is not possible due to the system's permission controls. This vulnerability primarily affects the confidentiality of user data in Navidrome installations.

If exploited, this authentication bypass vulnerability could lead to several potential effects. Unauthorized users may gain access to view user playlists and other read-only data within Navidrome. While attackers cannot modify data, the exposure of information could lead to privacy breaches or information leaks. This vulnerability may undermine user trust in the application, especially if sensitive information is viewed improperly. Moreover, attackers with knowledge of this flaw could develop automated tools to scan for and exploit vulnerable Navidrome installations. The release of version 0.54.5 is crucial for mitigating these risks.

REFERENCES

• https://github.com/advisories/GHSA-c3p4-vm8f-386p