Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27112

CVE-2025-27112: Navidrome Auth Bypass Vulnerability

CVE-2025-27112 is an authentication bypass flaw in Navidrome music server that allows attackers to access read-only data using non-existent usernames. This article covers the technical details, affected versions, and patches.

Updated:

CVE-2025-27112 Overview

CVE-2025-27112 is an authentication bypass vulnerability affecting Navidrome, an open source web-based music collection server and streamer. The vulnerability exists in certain Subsonic API endpoints where a flaw in the authentication check process allows attackers to specify arbitrary non-existent usernames along with a salted hash of an empty password. Under these conditions, Navidrome incorrectly treats the request as authenticated, granting unauthorized access to various Subsonic endpoints without valid credentials.

Critical Impact

An attacker can bypass authentication to access read-only data in Navidrome, including user playlists and other sensitive information, using any non-existent username. While data modification attempts fail with "permission denied" errors, the unauthorized information disclosure represents a significant privacy concern.

Affected Products

  • Navidrome versions 0.52.0 through 0.54.4
  • Navidrome installations with Subsonic API enabled
  • Self-hosted Navidrome instances exposed to network access

Discovery Timeline

  • 2025-02-24 - CVE-2025-27112 published to NVD
  • 2025-02-27 - Last updated in NVD database

Technical Details for CVE-2025-27112

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287) stems from improper error handling in Navidrome's user repository functions. When a request is made to the Subsonic API with a non-existent username, the authentication mechanism fails to properly validate the user's existence before proceeding with credential verification. The flaw allows attackers to authenticate using any arbitrary username that doesn't exist in the system, combined with a salted hash of an empty password, effectively bypassing the authentication layer entirely.

The attack is network-accessible and requires no prior authentication or user interaction, making it particularly dangerous for internet-exposed Navidrome instances. While the vulnerability limits attackers to read-only access (preventing data modification), it still exposes sensitive user information including playlists and potentially other personal data stored within the application.

Root Cause

The root cause lies in the user_repository.go file where the Get and GetAll functions improperly handle database query errors. Prior to the patch, these functions would return a result object even when an error occurred during the database lookup. This meant that when querying for a non-existent user, the function would return an empty/uninitialized user struct instead of properly propagating the error condition. The authentication layer then incorrectly processed this empty user object as a valid user, allowing the authentication to succeed with an empty password hash.

Attack Vector

The vulnerability can be exploited remotely over the network through the Subsonic API endpoints. An attacker can craft authentication requests with arbitrary non-existent usernames and a salted hash of an empty password. The Subsonic API uses token-based authentication where the token is a salted MD5 hash of the password. When an empty password is used, the resulting hash is predictable, and combined with the authentication bypass flaw, grants access to protected endpoints.

The following patch addresses the vulnerability by properly handling error conditions:

go
// Vulnerable code pattern (before patch):
sel := r.newSelect().Columns("*").Where(Eq{"id": id})
var res model.User
err := r.queryOne(sel, &res)
return &res, err  // Returns result even if error occurred

// Fixed code (after patch):
sel := r.newSelect().Columns("*").Where(Eq{"id": id})
var res model.User
err := r.queryOne(sel, &res)
if err != nil {
    return nil, err  // Properly returns nil on error
}
return &res, nil

Source: GitHub Commit 287079a9

Detection Methods for CVE-2025-27112

Indicators of Compromise

  • Authentication attempts to Subsonic API endpoints using non-existent usernames
  • Successful API responses for requests with empty password hashes
  • Unusual access patterns to playlist data or user information via Subsonic API
  • Multiple requests from the same source using different, non-existent usernames

Detection Strategies

  • Monitor Subsonic API authentication logs for requests with usernames not present in the user database
  • Implement alerting for authentication tokens generated from empty password hashes (predictable MD5 values)
  • Review access logs for unusual patterns of data retrieval without corresponding valid login events
  • Deploy web application firewall (WAF) rules to detect suspicious Subsonic API request patterns

Monitoring Recommendations

  • Enable detailed logging for all Subsonic API authentication attempts
  • Configure real-time alerts for authentication events involving unknown usernames
  • Establish baseline usage patterns and monitor for deviations in API access behavior
  • Implement network-level monitoring for connections to Navidrome instances from unexpected sources

How to Mitigate CVE-2025-27112

Immediate Actions Required

  • Upgrade Navidrome to version 0.54.5 or later immediately
  • Review access logs for any suspicious authentication attempts prior to patching
  • Audit Subsonic API access patterns for potential unauthorized data access
  • Restrict network access to Navidrome instances to trusted networks if immediate patching is not possible

Patch Information

The vulnerability is fixed in Navidrome version 0.54.5. The patch corrects the error handling logic in the user repository functions (persistence/user_repository.go) to properly return nil when database queries fail, preventing the authentication bypass condition. The fix is available through the GitHub commit 287079a9e409fb6b9708ca384d7daa7b5185c1a0. Additional details are provided in the GitHub Security Advisory GHSA-c3p4-vm8f-386p.

Workarounds

  • Disable Subsonic API endpoints if not required for your deployment
  • Place Navidrome behind a reverse proxy with additional authentication requirements
  • Implement IP whitelisting to restrict access to known trusted clients
  • Enable rate limiting on authentication endpoints to slow potential exploitation attempts
bash
# Example: Restrict Navidrome access using firewall rules
# Allow only trusted IP ranges to access Navidrome
iptables -A INPUT -p tcp --dport 4533 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 4533 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne