CVE-2025-46338 is a reflected cross-site scripting (XSS) vulnerability identified in the advplyr audiobookshelf product, a self-hosted audiobook and podcast server. The vulnerability exists in versions prior to 2.21.0, specifically in the `/api/upload` endpoint. The issue arises from improper neutralization of input during web page generation, classified under CWE-79. An attacker can submit malicious JavaScript payloads via the `libraryId` field. Because the input is not properly sanitized, it is reflected in the server's error message response. This reflection enables arbitrary JavaScript execution in the victim's browser when the error message is viewed. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network accessible, no authentication), but limited impact on confidentiality, integrity, and availability since it is a reflected XSS. No known exploits have been reported in the wild as of the publication date (April 29, 2025). The issue has been patched in version 2.21.0 of audiobookshelf. This vulnerability could be leveraged to execute malicious scripts in users’ browsers, potentially leading to session hijacking, phishing, or other client-side attacks if victims access the vulnerable endpoint or error messages. However, the impact is limited to users interacting with the affected web interface and does not directly compromise the server or backend data integrity or availability.

For European organizations using audiobookshelf versions prior to 2.21.0, this vulnerability poses a risk primarily to end users who access the web interface, especially administrators or users who upload content via the `/api/upload` endpoint. Successful exploitation could lead to theft of session cookies, unauthorized actions performed in the context of the victim’s browser, or delivery of further malware via script injection. While the server backend remains uncompromised, the client-side impact could result in data exposure or unauthorized access to user accounts. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance risks if user data is exposed through exploitation. Additionally, if audiobookshelf is used in corporate or educational environments, attackers could leverage XSS to escalate attacks or gain footholds in internal networks. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility mean that targeted phishing or automated scanning campaigns could emerge. The impact is thus moderate but should not be underestimated given the potential for lateral attack vectors and reputational damage.

1. Upgrade audiobookshelf installations to version 2.21.0 or later immediately to apply the official patch addressing this vulnerability. 2. Implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the `/api/upload` endpoint, specifically filtering anomalous `libraryId` inputs containing script tags or encoded JavaScript. 3. Employ Content Security Policy (CSP) headers on the audiobookshelf web interface to restrict execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4. Conduct regular security audits and penetration testing focusing on input validation and error message handling in self-hosted applications. 5. Educate users and administrators about the risks of reflected XSS and encourage cautious behavior when interacting with error messages or unexpected prompts. 6. Monitor logs for unusual requests to the `/api/upload` endpoint that may indicate exploitation attempts. 7. If upgrading is not immediately feasible, consider restricting access to the audiobookshelf web interface to trusted networks or VPNs to reduce exposure. These mitigations go beyond generic advice by focusing on specific controls tailored to the vulnerability’s exploitation vector and the product’s deployment context.