CVE-2025-57800
Published: 22 August 2025
Summary
CVE-2025-57800 is a high-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Audiobookshelf Audiobookshelf. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28630
Vulnerability details
Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in…
more
a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Prevents unprotected transport of credentials by mandating confidentiality mechanisms such as TLS for all sensitive data flows.
Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.
Using a distinct channel for credential transmission prevents unprotected transport over the application's normal communication path.
Requiring protected transport for credentials directly mitigates unprotected credential transmission over networks.
Validates redirect targets and URLs to ensure they conform to allowed destinations.