VDB

CVE-2025-27112

CVE-2025-27112 PUBLISHED CVSS 6.900000095367432 MEDIUM

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.

EPSS 28.46% · 96.6th percentile

Risk Scores

CVSS 4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
28.46%
96.6th percentile

Affected Products

VendorProductVersions
navidromenavidrome>= 0.52.0, < 0.54.5, 0.52.0, 0.52.0
github.comnavidrome/navidrome0.52.0, 0.52.0

Exploit Intelligence

…and 192 more exploits

Timeline

  • Jan 21, 1970 CrowdSec Sighting
  • Aug 19, 2022 CrowdSec Sighting
  • Feb 6, 2024 CrowdSec Sighting
  • Feb 8, 2024 CrowdSec Sighting
  • Feb 24, 2025 CVE Published
  • Feb 24, 2025 PoC Published
  • Feb 27, 2025 EPSS Score
  • Mar 4, 2025 PoC Published
  • Mar 5, 2025 PoC Published
  • Mar 13, 2025 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 23, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›