CVE-2025-27112

Navidrome has authentication bypass in Subsonic API with non-existent username

Basic Information

CVE State
PUBLISHED
Reserved Date
February 18, 2025
Published Date
February 24, 2025
Last Updated
February 24, 2025
Vendor
navidrome
Product
navidrome
Description
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
Tags
nuclei_scanner

CVSS Scores

CVSS v4.0

6.9 - MEDIUM

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS v3.1

6.5 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score

Score
9.39% (Percentile: 92.41%) as of 2025-07-24

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-06-24 00:00:00 UTC) Source

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-06-25 12:00:45 UTC

Scanner Integrations

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel