cbcvebase.
CVE-2024-47062
published 2024-09-20

CVE-2024-47062: Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.46%
90.2th percentile
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comnavidrome_navidrome>= 0 < 0.53.00.53.0
navidromenavidrome< 0.53.00.53.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&1+like+1)+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,(select+group_concat(concat(user_name,':',password))from+user),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49--=123
path/api/album
yara
rule CVE_2024_47062_Navidrome_SQLi { strings: $sqli_param = "1+like+1)+union+select" ascii $sqli_path = "/api/album" ascii $password_leak = "password LIKE" ascii condition: $sqli_path and $sqli_param }
sigma
title: CVE-2024-47062 Navidrome ORM Leak / SQL Injection
logsource:
  category: webserver
detection:
  selection:
    cs-uri-query|contains:
      - 'union+select'
      - 'like+1)+union'
      - 'group_concat'
      - 'from+user'
    cs-uri-stem|contains: '/api/album'
  condition: selection
  • Exploit uses a UNION-based SQL injection payload injected as a URL query parameter name (not value) against the /api/album endpoint. Look for query strings containing 'union+select' or 'group_concat' in requests to /api/album.
  • ORM leak attack appends known column names (e.g., 'password=AAA') as URL parameters to /api/album, resulting in a 'password LIKE AAA%' SQL clause. Monitor for unexpected parameter names matching database column names in API requests.
  • Authentication bypass: a username value of '%' (percent sign) can be used to log in due to the username being evaluated in a SQL LIKE statement. Alert on login attempts where the username field is exactly '%'.
  • Shodan fingerprint for exposed Navidrome instances: search for html containing 'content="Navidrome"' to identify attack surface.
  • The exploit is authenticated: it first POSTs credentials to /auth/login to obtain a Bearer token, then uses that token in the x-nd-authorization header for the injection request. Correlate authenticated sessions with subsequent anomalous /api/album query parameters.
  • ·The SQL injection and ORM leak are only exploitable by authenticated users (valid credentials required to obtain a Bearer token before the injection request).
  • ·There are no known workarounds; the only fix is upgrading to Navidrome 0.53.0 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.