cbcvebase.
CVE-2025-27112
published 2025-02-24

CVE-2025-27112: Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API…

PriorityP179medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.94%
56.3th percentile
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comnavidrome_navidrome>= 0.52.0 < 0.54.50.54.5
navidromenavidrome
navidromenavidrome>= 0.52.0 < 0.54.50.54.5

Detection & IOCsextracted from sources · hover to see the quote

url/rest/getPlaylists?u=FakeUser&t={{md5(username)}}&s={{username}}&v=1.16.1&c=castafiore&f=json
path/rest/getPlaylists
  • Detect authentication bypass attempts against Navidrome Subsonic API: look for requests to /rest/ endpoints where the username parameter ('u=') does not correspond to any existing system user, combined with a salted MD5 hash of an empty password (t= and s= parameters).
  • Alert on Subsonic API responses returning '"status":"ok"' alongside 'subsonic-response' and 'navidrome' body tokens for requests using non-existent usernames — this indicates a successful authentication bypass.
  • Monitor for Shodan-exposed Navidrome instances via the fingerprint html:"content=\"Navidrome\"" — these are likely targets for CVE-2025-27112 exploitation.
  • Flag requests to Navidrome /rest/ endpoints using the client identifier 'c=castafiore' with version 'v=1.16.1', as this combination is used in known exploit templates for CVE-2025-27112.
  • ·The vulnerability affects Navidrome versions 0.52.0 through 0.54.4 (prior to 0.54.5). Instances running 0.54.5 or later are patched and not vulnerable.
  • ·The bypass only grants read-only access; write/modify operations are blocked with 'permission denied', so data exfiltration (e.g., playlists) is possible but data modification is not.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.