CVE-2025-48948 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-48948 PUBLISHED CVSS 7.400000095367432 HIGH

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.

EPSS 0.08% · 24.0th percentile

Risk Scores

CVSS v4.0

7.400000095367432

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS Score

0.08%

24.0th percentile

Affected Products

Vendor	Product	Versions
navidrome	navidrome	< 0.56.0, 0, < 0.56.0
github.com	navidrome/navidrome	0, 0

Timeline

Jan 21, 1970 Security Advisory
May 29, 2025 CVE Published
May 30, 2025 PoC Published
May 31, 2025 EPSS Score
Jun 2, 2025 Coalition ESS Score
Jun 10, 2025 EPSS Score
Jun 21, 2025 EPSS Score
Jul 1, 2025 EPSS Score
Jul 11, 2025 EPSS Score
Jul 21, 2025 EPSS Score
Aug 1, 2025 EPSS Score
Aug 11, 2025 EPSS Score

References

Open in Interactive Console →