CVE-2025-27112 Overview
CVE-2025-27112 is an authentication bypass vulnerability affecting Navidrome, an open source web-based music collection server and streamer. The vulnerability exists in certain Subsonic API endpoints where a flaw in the authentication check process allows attackers to specify arbitrary non-existent usernames along with a salted hash of an empty password. Under these conditions, Navidrome incorrectly treats the request as authenticated, granting unauthorized access to various Subsonic endpoints without valid credentials.
Critical Impact
An attacker can bypass authentication to access read-only data in Navidrome, including user playlists and other sensitive information, using any non-existent username. While data modification attempts fail with "permission denied" errors, the unauthorized information disclosure represents a significant privacy concern.
Affected Products
- Navidrome versions 0.52.0 through 0.54.4
- Navidrome installations with Subsonic API enabled
- Self-hosted Navidrome instances exposed to network access
Discovery Timeline
- 2025-02-24 - CVE-2025-27112 published to NVD
- 2025-02-27 - Last updated in NVD database
Technical Details for CVE-2025-27112
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) stems from improper error handling in Navidrome's user repository functions. When a request is made to the Subsonic API with a non-existent username, the authentication mechanism fails to properly validate the user's existence before proceeding with credential verification. The flaw allows attackers to authenticate using any arbitrary username that doesn't exist in the system, combined with a salted hash of an empty password, effectively bypassing the authentication layer entirely.
The attack is network-accessible and requires no prior authentication or user interaction, making it particularly dangerous for internet-exposed Navidrome instances. While the vulnerability limits attackers to read-only access (preventing data modification), it still exposes sensitive user information including playlists and potentially other personal data stored within the application.
Root Cause
The root cause lies in the user_repository.go file where the Get and GetAll functions improperly handle database query errors. Prior to the patch, these functions would return a result object even when an error occurred during the database lookup. This meant that when querying for a non-existent user, the function would return an empty/uninitialized user struct instead of properly propagating the error condition. The authentication layer then incorrectly processed this empty user object as a valid user, allowing the authentication to succeed with an empty password hash.
Attack Vector
The vulnerability can be exploited remotely over the network through the Subsonic API endpoints. An attacker can craft authentication requests with arbitrary non-existent usernames and a salted hash of an empty password. The Subsonic API uses token-based authentication where the token is a salted MD5 hash of the password. When an empty password is used, the resulting hash is predictable, and combined with the authentication bypass flaw, grants access to protected endpoints.
The following patch addresses the vulnerability by properly handling error conditions:
// Vulnerable code pattern (before patch):
sel := r.newSelect().Columns("*").Where(Eq{"id": id})
var res model.User
err := r.queryOne(sel, &res)
return &res, err // Returns result even if error occurred
// Fixed code (after patch):
sel := r.newSelect().Columns("*").Where(Eq{"id": id})
var res model.User
err := r.queryOne(sel, &res)
if err != nil {
return nil, err // Properly returns nil on error
}
return &res, nil
Source: GitHub Commit 287079a9
Detection Methods for CVE-2025-27112
Indicators of Compromise
- Authentication attempts to Subsonic API endpoints using non-existent usernames
- Successful API responses for requests with empty password hashes
- Unusual access patterns to playlist data or user information via Subsonic API
- Multiple requests from the same source using different, non-existent usernames
Detection Strategies
- Monitor Subsonic API authentication logs for requests with usernames not present in the user database
- Implement alerting for authentication tokens generated from empty password hashes (predictable MD5 values)
- Review access logs for unusual patterns of data retrieval without corresponding valid login events
- Deploy web application firewall (WAF) rules to detect suspicious Subsonic API request patterns
Monitoring Recommendations
- Enable detailed logging for all Subsonic API authentication attempts
- Configure real-time alerts for authentication events involving unknown usernames
- Establish baseline usage patterns and monitor for deviations in API access behavior
- Implement network-level monitoring for connections to Navidrome instances from unexpected sources
How to Mitigate CVE-2025-27112
Immediate Actions Required
- Upgrade Navidrome to version 0.54.5 or later immediately
- Review access logs for any suspicious authentication attempts prior to patching
- Audit Subsonic API access patterns for potential unauthorized data access
- Restrict network access to Navidrome instances to trusted networks if immediate patching is not possible
Patch Information
The vulnerability is fixed in Navidrome version 0.54.5. The patch corrects the error handling logic in the user repository functions (persistence/user_repository.go) to properly return nil when database queries fail, preventing the authentication bypass condition. The fix is available through the GitHub commit 287079a9e409fb6b9708ca384d7daa7b5185c1a0. Additional details are provided in the GitHub Security Advisory GHSA-c3p4-vm8f-386p.
Workarounds
- Disable Subsonic API endpoints if not required for your deployment
- Place Navidrome behind a reverse proxy with additional authentication requirements
- Implement IP whitelisting to restrict access to known trusted clients
- Enable rate limiting on authentication endpoints to slow potential exploitation attempts
# Example: Restrict Navidrome access using firewall rules
# Allow only trusted IP ranges to access Navidrome
iptables -A INPUT -p tcp --dport 4533 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4533 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
