CVE-2025-48949 is a high-severity SQL Injection vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The vulnerability exists in versions 0.55.0 through 0.55.2 due to improper input validation on the 'role' parameter within the API endpoint '/api/artist'. Specifically, the application fails to properly neutralize special elements in SQL commands, allowing an attacker to inject arbitrary SQL queries. This can lead to unauthorized access to the backend database, potentially exposing sensitive user information such as user credentials, playlists, or other personal data stored within Navidrome. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network, increasing its risk profile. The issue has been patched in version 0.56.0. The CVSS 4.0 base score is 8.9, reflecting the critical impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a prime target for attackers seeking to compromise music streaming servers or related user data.

For European organizations using Navidrome, this vulnerability poses a significant risk. Organizations hosting Navidrome instances—such as music streaming services, educational institutions, or cultural organizations—could face data breaches exposing user information, leading to privacy violations under GDPR. Unauthorized database access could also allow attackers to manipulate or delete data, disrupting service availability and damaging organizational reputation. Given the remote exploitability without authentication, attackers could leverage this flaw to pivot into internal networks if Navidrome servers are not properly segmented. The breach of personal data could result in regulatory fines and loss of user trust. Additionally, if Navidrome is integrated into larger media or entertainment platforms, the impact could cascade, affecting broader service ecosystems.

European organizations should immediately upgrade Navidrome to version 0.56.0 or later, where the vulnerability is patched. Until upgrade, restrict access to the Navidrome API endpoint '/api/artist' by implementing network-level controls such as IP whitelisting or VPN access. Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'role' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially API parameters. Regularly audit and monitor database logs for suspicious queries indicative of injection attempts. Implement least privilege principles for database accounts used by Navidrome to limit potential damage from exploitation. Finally, maintain an incident response plan to quickly address any signs of compromise.