CVE-2025-27112
Published: 24 February 2025
Summary
CVE-2025-27112 is a medium-severity Improper Authentication (CWE-287) vulnerability in Navidrome Navidrome. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2025-27112 is an authentication bypass vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The issue resides in certain Subsonic API endpoints and impacts versions starting from 0.52.0 up to but not including 0.54.5. Due to a flaw in the authentication check process, an attacker can supply an arbitrary non-existent username paired with a salted hash of an empty password, causing Navidrome to treat the request as authenticated. This grants access to various Subsonic endpoints without valid credentials. The vulnerability is rated at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-287 (Improper Authentication).
An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting requests with a fabricated non-existent username and the salted hash of an empty password, the attacker bypasses authentication and gains read-only access to sensitive data, such as user playlists. Attempts to modify data fail due to insufficient permissions, resulting in "permission denied" errors, which confines the impact to unauthorized information disclosure with limited integrity effects.
The Navidrome security advisory (GHSA-c3p4-vm8f-386p) and the patching commit (287079a9e409fb6b9708ca384d7daa7b5185c1a0) confirm that upgrading to version 0.54.5 resolves the issue by fixing the authentication logic in the affected Subsonic API endpoints. Security practitioners should prioritize updating vulnerable Navidrome instances to mitigate this exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5077
Vulnerability details
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username…
more
that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails with a "permission denied" error due to insufficient permissions, limiting the impact to unauthorized viewing of information. Version 0.54.5 contains a patch for this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing Navidrome web server/Subsonic API directly enables remote exploitation for initial access without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the authentication bypass by requiring timely remediation of the specific flaw via patching to version 0.54.5.
Mandates robust identification and authentication for users, countering the improper authentication logic that validates non-existent usernames with empty password hashes.
Enforces approved access authorizations, preventing unauthorized read access to Subsonic API endpoints and user data like playlists.