Cyber Resilience

CVE-2025-27112

MediumPublic PoC

Published: 24 February 2025

Published
24 February 2025
Modified
27 February 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2846 96.6th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27112 is a medium-severity Improper Authentication (CWE-287) vulnerability in Navidrome Navidrome. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-27112 is an authentication bypass vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The issue resides in certain Subsonic API endpoints and impacts versions starting from 0.52.0 up to but not including 0.54.5. Due to a flaw in the authentication check process, an attacker can supply an arbitrary non-existent username paired with a salted hash of an empty password, causing Navidrome to treat the request as authenticated. This grants access to various Subsonic endpoints without valid credentials. The vulnerability is rated at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-287 (Improper Authentication).

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting requests with a fabricated non-existent username and the salted hash of an empty password, the attacker bypasses authentication and gains read-only access to sensitive data, such as user playlists. Attempts to modify data fail due to insufficient permissions, resulting in "permission denied" errors, which confines the impact to unauthorized information disclosure with limited integrity effects.

The Navidrome security advisory (GHSA-c3p4-vm8f-386p) and the patching commit (287079a9e409fb6b9708ca384d7daa7b5185c1a0) confirm that upgrading to version 0.54.5 resolves the issue by fixing the authentication logic in the affected Subsonic API endpoints. Security practitioners should prioritize updating vulnerable Navidrome instances to mitigate this exposure.

EU & UK References

Vulnerability details

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username…

more

that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing Navidrome web server/Subsonic API directly enables remote exploitation for initial access without credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

navidrome
navidrome
0.52.0 — 0.54.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass by requiring timely remediation of the specific flaw via patching to version 0.54.5.

prevent

Mandates robust identification and authentication for users, countering the improper authentication logic that validates non-existent usernames with empty password hashes.

prevent

Enforces approved access authorizations, preventing unauthorized read access to Subsonic API endpoints and user data like playlists.

References