CVE-2026-25578: Navidrome XSS Vulnerability

CVE-2026-25578 Overview

CVE-2026-25578 is a Cross-Site Scripting (XSS) vulnerability discovered in Navidrome, an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.

Critical Impact

Attackers can leverage malicious song metadata to execute arbitrary JavaScript code in the context of authenticated users, potentially leading to credential theft and session hijacking.

Affected Products

• Navidrome versions prior to 0.60.0
• Navidrome web-based music streaming frontend
• Navidrome album and artist display components

Discovery Timeline

• 2026-02-04 - CVE CVE-2026-25578 published to NVD
• 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-25578

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in the Navidrome frontend where song comment metadata is rendered without proper sanitization. When a user views an album or artist page containing a malicious song with crafted comment metadata, the injected JavaScript executes within the user's browser session.

The attack requires local access to upload or modify music files with malicious metadata, and user interaction is required for the victim to view the affected content. This stored XSS variant is particularly dangerous because the malicious payload persists in the music library and can affect multiple users who access the tainted content.

Root Cause

The root cause of this vulnerability stems from improper input sanitization in the React-based frontend components. Specifically, the AlbumDetails.jsx and ArtistShow.jsx components in the UI layer failed to sanitize HTML content embedded in song metadata fields before rendering them in the DOM. User-controlled input from audio file comment tags was directly interpolated into the page without proper encoding or escaping.

Attack Vector

An attacker with the ability to upload or modify music files in a Navidrome instance can embed malicious JavaScript code within the comment metadata field of an audio file. When authenticated users browse to the album or artist page containing the malicious track, the embedded script executes in their browser context. This enables the attacker to steal session cookies, authentication tokens, or other sensitive data through exfiltration to attacker-controlled servers.

The attack flow involves:

1. Embedding JavaScript payload in audio file comment metadata
2. Uploading the malicious audio file to the Navidrome server
3. Waiting for victims to browse to the affected album/artist page
4. JavaScript executes and exfiltrates user credentials

// Security patch in ui/src/album/AlbumDetails.jsx
 import config from '../config'
 import { formatFullDate, intersperse } from '../utils'
 import AlbumExternalLinks from './AlbumExternalLinks'
+import { SafeHTML } from '../common/SafeHTML'
 
 const useStyles = makeStyles(
   (theme) => ({

Source: GitHub Commit Update

The patch introduces a SafeHTML component to properly sanitize user-controlled content before rendering, preventing malicious script execution.

Detection Methods for CVE-2026-25578

Indicators of Compromise

• Unusual JavaScript code patterns within audio file metadata comments (e.g., <script>, onerror=, onload=)
• Unexpected outbound network requests from client browsers to external domains
• Audio files with suspiciously long or encoded comment metadata fields
• Browser console errors indicating blocked inline scripts (if CSP is enabled)

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Monitor web application logs for unusual patterns in rendered content
• Scan music library files for suspicious metadata content using metadata extraction tools
• Deploy browser-based security monitoring to detect exfiltration attempts

Monitoring Recommendations

• Enable verbose logging on the Navidrome server to capture metadata parsing events
• Implement network-level monitoring for unusual outbound connections from client systems
• Configure alerts for any modifications to audio files in the music library
• Review access logs for patterns indicating targeted browsing of specific albums or artists

How to Mitigate CVE-2026-25578

Immediate Actions Required

• Upgrade Navidrome to version 0.60.0 or later immediately
• Audit existing music library for files with suspicious metadata content
• Implement Content Security Policy headers to provide defense-in-depth protection
• Consider temporarily restricting file upload capabilities until patching is complete

Patch Information

The vulnerability has been addressed in Navidrome version 0.60.0. The fix introduces the SafeHTML component which properly sanitizes user-controlled content before rendering in the frontend. Users should upgrade to this version or later to remediate the vulnerability. The security patch is available in GitHub Commit d7ec735, and the patched release can be obtained from GitHub Release v0.60.0. For full details, refer to the GitHub Security Advisory GHSA-rh3r-8pxm-hg4w.

Workarounds

• Implement strict Content Security Policy headers to block inline script execution as a temporary mitigation
• Restrict music file uploads to trusted administrators only until patching is complete
• Sanitize audio file metadata using external tools before importing into Navidrome
• Consider deploying a web application firewall (WAF) with XSS detection rules

# Example Content Security Policy header configuration for Nginx
# Add to your Navidrome reverse proxy configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self';" always;