CVE-2025-27112
published 2025-02-24CVE-2025-27112: Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API…
PriorityP179medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.94%
56.3th percentile
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | navidrome_navidrome | >= 0.52.0 < 0.54.5 | 0.54.5 |
| navidrome | navidrome | — | — |
| navidrome | navidrome | >= 0.52.0 < 0.54.5 | 0.54.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts against Navidrome Subsonic API: look for requests to /rest/ endpoints where the username parameter ('u=') does not correspond to any existing system user, combined with a salted MD5 hash of an empty password (t= and s= parameters). ↗
- →Alert on Subsonic API responses returning '"status":"ok"' alongside 'subsonic-response' and 'navidrome' body tokens for requests using non-existent usernames — this indicates a successful authentication bypass. ↗
- →Monitor for Shodan-exposed Navidrome instances via the fingerprint html:"content=\"Navidrome\"" — these are likely targets for CVE-2025-27112 exploitation. ↗
- →Flag requests to Navidrome /rest/ endpoints using the client identifier 'c=castafiore' with version 'v=1.16.1', as this combination is used in known exploit templates for CVE-2025-27112. ↗
- ·The vulnerability affects Navidrome versions 0.52.0 through 0.54.4 (prior to 0.54.5). Instances running 0.54.5 or later are patched and not vulnerable. ↗
- ·The bypass only grants read-only access; write/modify operations are blocked with 'permission denied', so data exfiltration (e.g., playlists) is possible but data modification is not. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome
osv·2025-03-03
CVE-2025-27112 Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome
Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome
Navidrome allows an authentication bypass in Subsonic API with non-existent username in github.com/navidrome/navidrome
GHSA
Navidrome allows an authentication bypass in Subsonic API with non-existent username
ghsa·2025-02-25
CVE-2025-27112 [MEDIUM] CWE-287 Navidrome allows an authentication bypass in Subsonic API with non-existent username
Navidrome allows an authentication bypass in Subsonic API with non-existent username
### Summary
In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.
### Details
A flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials.
### Proof of Concept (PoC)
1. Generate a random salt:
```javascript
// e.g.
OSV
Navidrome allows an authentication bypass in Subsonic API with non-existent username
osv·2025-02-25
CVE-2025-27112 [MEDIUM] Navidrome allows an authentication bypass in Subsonic API with non-existent username
Navidrome allows an authentication bypass in Subsonic API with non-existent username
### Summary
In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.
### Details
A flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials.
### Proof of Concept (PoC)
1. Generate a random salt:
```javascript
// e.g.
VulnCheck
navidrome navidrome Improper Authentication
vulncheck·2025·CVSS 6.9
CVE-2025-27112 [MEDIUM] navidrome navidrome Improper Authentication
navidrome navidrome Improper Authentication
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient
No detection rules found.
Nuclei
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
nuclei·CVSS 6.9
CVE-2025-27112 [MEDIUM] Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due
2025-02-24
Published
Exploited in the wild