CVE-2025-48949: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in navidrome navidrome
Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.
AI Analysis
Technical Summary
CVE-2025-48949 is a high-severity SQL Injection vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The vulnerability exists in versions 0.55.0 through 0.55.2 due to improper input validation on the 'role' parameter within the API endpoint '/api/artist'. Specifically, the application fails to properly neutralize special elements in SQL commands, allowing an attacker to inject arbitrary SQL queries. This can lead to unauthorized access to the backend database, potentially exposing sensitive user information such as user credentials, playlists, or other personal data stored within Navidrome. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network, increasing its risk profile. The issue has been patched in version 0.56.0. The CVSS 4.0 base score is 8.9, reflecting the critical impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a prime target for attackers seeking to compromise music streaming servers or related user data.
Potential Impact
For European organizations using Navidrome, this vulnerability poses a significant risk. Organizations hosting Navidrome instances—such as music streaming services, educational institutions, or cultural organizations—could face data breaches exposing user information, leading to privacy violations under GDPR. Unauthorized database access could also allow attackers to manipulate or delete data, disrupting service availability and damaging organizational reputation. Given the remote exploitability without authentication, attackers could leverage this flaw to pivot into internal networks if Navidrome servers are not properly segmented. The breach of personal data could result in regulatory fines and loss of user trust. Additionally, if Navidrome is integrated into larger media or entertainment platforms, the impact could cascade, affecting broader service ecosystems.
Mitigation Recommendations
European organizations should immediately upgrade Navidrome to version 0.56.0 or later, where the vulnerability is patched. Until upgrade, restrict access to the Navidrome API endpoint '/api/artist' by implementing network-level controls such as IP whitelisting or VPN access. Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'role' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially API parameters. Regularly audit and monitor database logs for suspicious queries indicative of injection attempts. Implement least privilege principles for database accounts used by Navidrome to limit potential damage from exploitation. Finally, maintain an incident response plan to quickly address any signs of compromise.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-48949: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in navidrome navidrome
Description
Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-48949 is a high-severity SQL Injection vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The vulnerability exists in versions 0.55.0 through 0.55.2 due to improper input validation on the 'role' parameter within the API endpoint '/api/artist'. Specifically, the application fails to properly neutralize special elements in SQL commands, allowing an attacker to inject arbitrary SQL queries. This can lead to unauthorized access to the backend database, potentially exposing sensitive user information such as user credentials, playlists, or other personal data stored within Navidrome. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network, increasing its risk profile. The issue has been patched in version 0.56.0. The CVSS 4.0 base score is 8.9, reflecting the critical impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a prime target for attackers seeking to compromise music streaming servers or related user data.
Potential Impact
For European organizations using Navidrome, this vulnerability poses a significant risk. Organizations hosting Navidrome instances—such as music streaming services, educational institutions, or cultural organizations—could face data breaches exposing user information, leading to privacy violations under GDPR. Unauthorized database access could also allow attackers to manipulate or delete data, disrupting service availability and damaging organizational reputation. Given the remote exploitability without authentication, attackers could leverage this flaw to pivot into internal networks if Navidrome servers are not properly segmented. The breach of personal data could result in regulatory fines and loss of user trust. Additionally, if Navidrome is integrated into larger media or entertainment platforms, the impact could cascade, affecting broader service ecosystems.
Mitigation Recommendations
European organizations should immediately upgrade Navidrome to version 0.56.0 or later, where the vulnerability is patched. Until upgrade, restrict access to the Navidrome API endpoint '/api/artist' by implementing network-level controls such as IP whitelisting or VPN access. Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'role' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially API parameters. Regularly audit and monitor database logs for suspicious queries indicative of injection attempts. Implement least privilege principles for database accounts used by Navidrome to limit potential damage from exploitation. Finally, maintain an incident response plan to quickly address any signs of compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-28T18:49:07.584Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 683a0a8d182aa0cae2be195f
Added to database: 5/30/2025, 7:44:13 PM
Last enriched: 7/8/2025, 1:54:48 PM
Last updated: 8/18/2025, 9:14:04 PM
Views: 67
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.