CVE-2025-25205
Published: 12 February 2025
Summary
CVE-2025-25205 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Audiobookshelf Audiobookshelf. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthenticated requests from bypassing authentication via flawed unanchored regex patterns in URL handling.
Validates query parameters and URL inputs to block crafted substrings like '/api/items/1/cover' that exploit regex flaws for authentication bypass.
Remediates the specific authentication logic flaw through timely patching, as implemented in Audiobookshelf version 2.19.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authentication bypass in a public-facing web server (Audiobookshelf) via flawed regex URL matching, directly enabling exploitation of the application for unauthorized data access and DoS via server crashes in certain routes.
NVD Description
Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs…
more
containing substrings like "/api/items/1/cover" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue.
Deeper analysisAI
Audiobookshelf, a self-hosted audiobook and podcast server, is affected by CVE-2025-25205 in versions starting from 2.17.0 and prior to 2.19.1. The vulnerability arises from a flaw in the authentication bypass logic, where unauthenticated requests can match certain unanchored regex patterns in the URL. This issue, published on 2025-02-12, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and maps to CWEs 202 (sensitive data exposure), 287 (improper authentication), and 400 (uncontrolled resource consumption).
Unauthenticated attackers with network access can exploit this vulnerability by crafting malicious URLs containing substrings like "/api/items/1/cover" within a query parameter, such as ?r=/api/items/1/cover. This enables partial bypass of authentication, potentially disclosing otherwise protected data. In certain routes, the flaw can also cause server crashes if downstream code assumes an authenticated user object is present, leading to denial of service.
The vulnerability is addressed in Audiobookshelf version 2.19.1. Mitigation details are outlined in the GitHub security advisory (GHSA-pg8v-5jcv-wrvw), pull request #3584, and commits bf8407274e3ee300af1927ee660d078a7a801e1c and ec6537656925a43871b07cfee12c9f383844d224, with the affected authentication logic visible in server/Auth.js lines 17-41.
Details
- CWE(s)