CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8	Patch
https://github.com/navidrome/navidrome/pull/4096	Issue Tracking
https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*

History

26 Aug 2025, 14:17

Type	Values Removed	Values Added
References	~~() https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8 -~~	() https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8 - Patch
References	~~() https://github.com/navidrome/navidrome/pull/4096 -~~	() https://github.com/navidrome/navidrome/pull/4096 - Issue Tracking
References	~~() https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 -~~	() https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:navidrome:navidrome::::::::
Summary		(es) Navidrome es un servidor y transmisor de música de código abierto basado en la web. Una falla de verificación de permisos en versiones anteriores a la 0.56.0 permite a cualquier usuario autenticado eludir las comprobaciones de autorización y realizar operaciones de configuración de transcodificación exclusivas del administrador, como crear, modificar y eliminar ajustes de transcodificación. En el modelo de amenaza donde se confía en los administradores, pero no en los usuarios, esta vulnerabilidad representa un riesgo de seguridad significativo cuando la transcodificación está habilitada. La versión 0.56.0 corrige el problema.
First Time		Navidrome navidrome Navidrome

30 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 20:15

Updated : 2025-08-26 14:17

NVD link : CVE-2025-48948

Mitre link : CVE-2025-48948

CVE.ORG link : CVE-2025-48948

JSON object : View

Products Affected

navidrome

navidrome

CWE

CWE-863

Incorrect Authorization

6.5 /10