Cyber Resilience

CVE-2025-57800

HighPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57800 is a high-severity Unprotected Transport of Credentials (CWE-523) vulnerability in Audiobookshelf Audiobookshelf. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in…

more

a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

audiobookshelf
audiobookshelf
2.6.0 — 2.28.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-523 CWE-598

Prevents unprotected transport of credentials by mandating confidentiality mechanisms such as TLS for all sensitive data flows.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-523

Using a distinct channel for credential transmission prevents unprotected transport over the application's normal communication path.

addresses: CWE-523

Requiring protected transport for credentials directly mitigates unprotected credential transmission over networks.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References