CVE-2025-27112 Scanner
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API CVE-2025-27112 Scanner
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
16 days 5 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Navidrome is an open-source, web-based music collection server and streamer designed for personal media streaming. It allows users to organize and play their music collection through a browser interface. The software supports various features, such as playlist management, metadata handling, and streaming, and it integrates with services like Subsonic for additional functionality. Navidrome is commonly used by individual users and music enthusiasts who prefer self-hosted, customizable media servers. The product is written in the Go programming language and serves as a platform for accessing and managing music collections remotely.
This vulnerability allows attackers to bypass the authentication mechanism of Navidrome. The flaw resides in the Subsonic API endpoints, where an attacker can provide a non-existent username and a salted hash of an empty password. Navidrome incorrectly treats this request as authenticated, granting unauthorized access to certain endpoints. Although data modification is restricted by permission errors, the vulnerability allows attackers to view read-only data, such as user playlists, without valid authentication.
The authentication bypass occurs in the Subsonic API when the username is specified as a non-existent user and the password is set to a salted hash of an empty password. This combination allows the server to mistakenly treat the request as an authenticated one, despite the credentials being invalid. The affected API endpoint is /rest/getPlaylists, which is vulnerable to unauthorized access when the crafted username and password combination is supplied. Attempts to modify data result in permission-denied errors, indicating the vulnerability's limited impact on altering data.
If exploited, this vulnerability could allow attackers to view sensitive information, such as user playlists, without proper authentication. This could lead to exposure of personal data or media content. However, since modification attempts result in permission-denied errors, attackers cannot alter or delete data. The overall impact is limited to unauthorized viewing of information, but it could still pose privacy risks to users of the service.
References:
