Skip to main content

CVE-2025-48949: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in navidrome navidrome

High
VulnerabilityCVE-2025-48949cvecve-2025-48949cwe-89
Published: Fri May 30 2025 (05/30/2025, 19:40:51 UTC)
Source: CVE Database V5
Vendor/Project: navidrome
Product: navidrome

Description

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.

AI-Powered Analysis

AILast updated: 07/08/2025, 13:54:48 UTC

Technical Analysis

CVE-2025-48949 is a high-severity SQL Injection vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The vulnerability exists in versions 0.55.0 through 0.55.2 due to improper input validation on the 'role' parameter within the API endpoint '/api/artist'. Specifically, the application fails to properly neutralize special elements in SQL commands, allowing an attacker to inject arbitrary SQL queries. This can lead to unauthorized access to the backend database, potentially exposing sensitive user information such as user credentials, playlists, or other personal data stored within Navidrome. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network, increasing its risk profile. The issue has been patched in version 0.56.0. The CVSS 4.0 base score is 8.9, reflecting the critical impact on confidentiality, integrity, and availability, combined with the ease of exploitation. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a prime target for attackers seeking to compromise music streaming servers or related user data.

Potential Impact

For European organizations using Navidrome, this vulnerability poses a significant risk. Organizations hosting Navidrome instances—such as music streaming services, educational institutions, or cultural organizations—could face data breaches exposing user information, leading to privacy violations under GDPR. Unauthorized database access could also allow attackers to manipulate or delete data, disrupting service availability and damaging organizational reputation. Given the remote exploitability without authentication, attackers could leverage this flaw to pivot into internal networks if Navidrome servers are not properly segmented. The breach of personal data could result in regulatory fines and loss of user trust. Additionally, if Navidrome is integrated into larger media or entertainment platforms, the impact could cascade, affecting broader service ecosystems.

Mitigation Recommendations

European organizations should immediately upgrade Navidrome to version 0.56.0 or later, where the vulnerability is patched. Until upgrade, restrict access to the Navidrome API endpoint '/api/artist' by implementing network-level controls such as IP whitelisting or VPN access. Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the 'role' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially API parameters. Regularly audit and monitor database logs for suspicious queries indicative of injection attempts. Implement least privilege principles for database accounts used by Navidrome to limit potential damage from exploitation. Finally, maintain an incident response plan to quickly address any signs of compromise.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-28T18:49:07.584Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683a0a8d182aa0cae2be195f

Added to database: 5/30/2025, 7:44:13 PM

Last enriched: 7/8/2025, 1:54:48 PM

Last updated: 8/16/2025, 6:54:34 PM

Views: 66

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats