CVE-2025-25205

Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like "/api/items/1/cover" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/advplyr/audiobookshelf/blob/1a3d70d04100924d41391acb55bd8ddca486a4fa/server/Auth.js#L17-L41	Product
https://github.com/advplyr/audiobookshelf/commit/bf8407274e3ee300af1927ee660d078a7a801e1c	Patch
https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224	Patch
https://github.com/advplyr/audiobookshelf/pull/3584	Issue Tracking Patch
https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:audiobookshelf:audiobookshelf:*:*:*:*:*:*:*:*

History

03 Jul 2025, 00:58

Type	Values Removed	Values Added
References	~~() https://github.com/advplyr/audiobookshelf/blob/1a3d70d04100924d41391acb55bd8ddca486a4fa/server/Auth.js#L17-L41 -~~	() https://github.com/advplyr/audiobookshelf/blob/1a3d70d04100924d41391acb55bd8ddca486a4fa/server/Auth.js#L17-L41 - Product
References	~~() https://github.com/advplyr/audiobookshelf/commit/bf8407274e3ee300af1927ee660d078a7a801e1c -~~	() https://github.com/advplyr/audiobookshelf/commit/bf8407274e3ee300af1927ee660d078a7a801e1c - Patch
References	~~() https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224 -~~	() https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224 - Patch
References	~~() https://github.com/advplyr/audiobookshelf/pull/3584 -~~	() https://github.com/advplyr/audiobookshelf/pull/3584 - Issue Tracking, Patch
References	~~() https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw -~~	() https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw - Exploit, Vendor Advisory
Summary		(es) Audiobookshelf es un servidor de audiolibros y podcasts autoalojado. A partir de la versión 2.17.0 y antes de la versión 2.19.1, una falla en la lógica de omisión de autenticación permite que las solicitudes no autenticadas coincidan con ciertos patrones de expresiones regulares no anclados en la URL. Los atacantes pueden manipuleURL que contengan subcadenas como "/api/items/1/cover" en un parámetro de consulta (?r=/api/items/1/cover) para omitir parcialmente la autenticación o provocar fallas del servidor en ciertas rutas. Esto podría provocar la divulgación de información de datos que de otro modo estarían protegidos y, en algunos casos, una denegación completa del servicio (falla del servidor) si el código descendente espera un objeto de usuario autenticado. La versión 2.19.1 contiene un parche para el problema.
CPE		cpe:2.3:a:audiobookshelf:audiobookshelf::::::::
First Time		Audiobookshelf Audiobookshelf audiobookshelf

12 Feb 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-12 19:15

Updated : 2025-07-03 00:58

NVD link : CVE-2025-25205

Mitre link : CVE-2025-25205

CVE.ORG link : CVE-2025-25205

JSON object : View

Products Affected

audiobookshelf

audiobookshelf

CWE

CWE-202

Exposure of Sensitive Information Through Data Queries

CWE-287

Improper Authentication

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2025-25205", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2025-02-12T19:15:21.717", "references": [{"url": "https://github.com/advplyr/audiobookshelf/blob/1a3d70d04100924d41391acb55bd8ddca486a4fa/server/Auth.js#L17-L41", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/advplyr/audiobookshelf/commit/bf8407274e3ee300af1927ee660d078a7a801e1c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/advplyr/audiobookshelf/pull/3584", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-202"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like \"/api/items/1/cover\" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue."}, {"lang": "es", "value": "Audiobookshelf es un servidor de audiolibros y podcasts autoalojado. A partir de la versi\u00f3n 2.17.0 y antes de la versi\u00f3n 2.19.1, una falla en la l\u00f3gica de omisi\u00f3n de autenticaci\u00f3n permite que las solicitudes no autenticadas coincidan con ciertos patrones de expresiones regulares no anclados en la URL. Los atacantes pueden manipuleURL que contengan subcadenas como \"/api/items/1/cover\" en un par\u00e1metro de consulta (?r=/api/items/1/cover) para omitir parcialmente la autenticaci\u00f3n o provocar fallas del servidor en ciertas rutas. Esto podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n de datos que de otro modo estar\u00edan protegidos y, en algunos casos, una denegaci\u00f3n completa del servicio (falla del servidor) si el c\u00f3digo descendente espera un objeto de usuario autenticado. La versi\u00f3n 2.19.1 contiene un parche para el problema."}], "lastModified": "2025-07-03T00:58:22.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:audiobookshelf:audiobookshelf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BA2660E-DF78-436C-9A89-9BC33EE11B22", "versionEndExcluding": "2.19.1", "versionStartIncluding": "2.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

8.2 /10