CVE-2025-57800 is a critical vulnerability affecting the open-source self-hosted audiobook server Audiobookshelf, specifically versions 2.6.0 through 2.26.3. The issue arises from improper validation and restriction of redirect callback URLs during OpenID Connect (OIDC) authentication. An attacker can craft a malicious login link that causes the Audiobookshelf server to store an arbitrary callback URL in a cookie. After the victim authenticates, the server issues an HTTP 302 redirect to this attacker-controlled URL, appending sensitive OIDC tokens as query parameters. These tokens include access and ID tokens that grant full access to the victim's account. Because these tokens are exposed in the URL, they can be leaked through browser history, Referer headers, and server logs, significantly increasing the risk of compromise. An attacker who obtains these tokens can perform a full account takeover, including creating persistent administrator accounts if the victim has admin privileges. This vulnerability does not require any misconfiguration on the Identity Provider (IdP) side, making all Audiobookshelf deployments using OIDC authentication vulnerable. The flaw involves multiple CWE categories: CWE-523 (Unprotected Transport of Credentials), CWE-598 (Information Exposure), and CWE-601 (Open Redirect). The vulnerability has a CVSS v3.1 score of 8.8 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction (victim must click the malicious link). The issue was publicly disclosed on August 22, 2025, and fixed in version 2.28.0. No known workarounds exist, and no exploits have been observed in the wild yet.

For European organizations using Audiobookshelf with OIDC authentication, this vulnerability poses a significant risk of account compromise and unauthorized administrative access. Audiobookshelf is often deployed in self-hosted environments, including educational institutions, libraries, and media organizations that manage audiobook collections. A successful exploitation could lead to unauthorized data access, manipulation, or deletion of audiobook content, disruption of service availability, and potential lateral movement within the organization's network if the compromised account has elevated privileges. The exposure of OIDC tokens also risks broader identity compromise if tokens are reused or linked to other services. Given the tokens are leaked via URLs, browser history, and logs, forensic investigation and remediation become more complex. The lack of required IdP misconfiguration means organizations cannot rely on IdP settings to mitigate this risk, increasing the urgency to update Audiobookshelf. The impact extends beyond confidentiality to integrity and availability, as attackers can create persistent admin users, potentially locking out legitimate administrators or injecting malicious content. This could also damage organizational reputation and violate data protection regulations such as GDPR if personal data is accessed or exposed.

The primary mitigation is to upgrade Audiobookshelf to version 2.28.0 or later, where the vulnerability is fixed by properly validating and restricting redirect callback URLs during OIDC authentication. Organizations should prioritize this update in their patch management cycles. Until the update is applied, organizations should restrict access to the Audiobookshelf server to trusted networks and users to reduce exposure to malicious login links. Implementing strict Content Security Policies (CSP) and monitoring HTTP logs for unusual redirect patterns or unexpected 302 responses can help detect exploitation attempts. Additionally, organizations should educate users about the risks of clicking unsolicited login links and encourage the use of multi-factor authentication (MFA) where possible to reduce the impact of token theft. Reviewing and rotating OIDC tokens and credentials after patching can help invalidate any stolen tokens. Logging and monitoring should be enhanced to detect suspicious account activities, such as unexpected admin user creation. Finally, organizations should audit their OIDC configurations and ensure that tokens are never exposed in URLs or logs in other integrated systems.