Skip to main content

CVE-2025-48948: CWE-863: Incorrect Authorization in navidrome navidrome

High
VulnerabilityCVE-2025-48948cvecve-2025-48948cwe-863
Published: Fri May 30 2025 (05/30/2025, 19:25:41 UTC)
Source: CVE Database V5
Vendor/Project: navidrome
Product: navidrome

Description

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.

AI-Powered Analysis

AILast updated: 07/08/2025, 13:54:36 UTC

Technical Analysis

CVE-2025-48948 is a high-severity vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The flaw is categorized under CWE-863, which pertains to incorrect authorization. Specifically, in Navidrome versions prior to 0.56.0, there is a permission verification weakness that allows any authenticated regular user to bypass authorization controls designed to restrict certain administrative operations. This vulnerability enables such users to perform administrator-only transcoding configuration tasks, including creating, modifying, and deleting transcoding settings. Transcoding in Navidrome involves converting audio files into different formats or bitrates, which can impact server resource usage and user experience. The threat model assumes that administrators are trusted, but regular users are not; thus, this flaw represents a significant security risk when transcoding is enabled. Exploiting this vulnerability does not require elevated privileges beyond regular user authentication, nor does it require user interaction beyond login. The CVSS 4.0 base score is 7.4 (high), reflecting the network attack vector, low attack complexity, no privileges required beyond regular user, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on May 30, 2025, and patched in version 0.56.0 of Navidrome. No known exploits are currently reported in the wild. This vulnerability could allow malicious users to manipulate transcoding settings, potentially leading to denial of service, resource exhaustion, or unauthorized access to media content through altered transcoding configurations.

Potential Impact

For European organizations using Navidrome as their music streaming or media server solution, this vulnerability poses a significant risk. Unauthorized modification of transcoding settings by regular users could lead to service disruptions, degraded performance, or exposure of sensitive media content. In environments where Navidrome is integrated into larger media distribution or archival systems, this could impact availability and integrity of media services. Additionally, if transcoding configurations are manipulated to exploit server resources, it could result in denial of service conditions affecting other users or services hosted on the same infrastructure. The confidentiality impact is also notable, as unauthorized changes might enable access to media streams or files that should be restricted. Organizations relying on Navidrome for internal or public-facing media services must consider the risk of insider threats or compromised user accounts exploiting this flaw. Given the ease of exploitation (requiring only authenticated user access) and the high impact on core system functions, European entities should prioritize remediation to maintain service integrity and security compliance.

Mitigation Recommendations

1. Immediate upgrade to Navidrome version 0.56.0 or later, where the authorization flaw is patched, is the most effective mitigation. 2. Restrict user account creation and enforce strong authentication policies to limit the number of regular users who can log in, reducing the attack surface. 3. Implement network segmentation and access controls to isolate Navidrome servers from untrusted networks and users. 4. Monitor and audit transcoding configuration changes regularly to detect unauthorized modifications promptly. 5. Employ application-layer firewalls or Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized API calls related to transcoding settings. 6. If upgrading immediately is not feasible, temporarily disable transcoding features or restrict transcoding configuration access to trusted administrators only, if possible through configuration. 7. Educate administrators and users about the risks associated with this vulnerability and encourage vigilance for suspicious activities. 8. Integrate Navidrome logs with centralized Security Information and Event Management (SIEM) systems to enhance detection capabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-28T18:49:07.583Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683a0a8d182aa0cae2be196d

Added to database: 5/30/2025, 7:44:13 PM

Last enriched: 7/8/2025, 1:54:36 PM

Last updated: 8/7/2025, 4:33:42 AM

Views: 46

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats