CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8	Patch
https://github.com/navidrome/navidrome/pull/4096	Issue Tracking
https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*

History

26 Aug 2025, 14:17

Type	Values Removed	Values Added
First Time		Navidrome navidrome Navidrome
References	~~() https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8 -~~	() https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8 - Patch
References	~~() https://github.com/navidrome/navidrome/pull/4096 -~~	() https://github.com/navidrome/navidrome/pull/4096 - Issue Tracking
References	~~() https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 -~~	() https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:navidrome:navidrome::::::::

02 Jun 2025, 17:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 20:15

Updated : 2025-08-26 14:17

NVD link : CVE-2025-48948

Mitre link : CVE-2025-48948

CVE.ORG link : CVE-2025-48948

JSON object : View

Products Affected

navidrome

navidrome

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2025-48948", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T20:15:43.910", "references": [{"url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/navidrome/navidrome/pull/4096", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue."}, {"lang": "es", "value": "Navidrome es un servidor y transmisor de m\u00fasica de c\u00f3digo abierto basado en la web. Una falla de verificaci\u00f3n de permisos en versiones anteriores a la 0.56.0 permite a cualquier usuario autenticado eludir las comprobaciones de autorizaci\u00f3n y realizar operaciones de configuraci\u00f3n de transcodificaci\u00f3n exclusivas del administrador, como crear, modificar y eliminar ajustes de transcodificaci\u00f3n. En el modelo de amenaza donde se conf\u00eda en los administradores, pero no en los usuarios, esta vulnerabilidad representa un riesgo de seguridad significativo cuando la transcodificaci\u00f3n est\u00e1 habilitada. La versi\u00f3n 0.56.0 corrige el problema."}], "lastModified": "2025-08-26T14:17:42.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "534A6DB5-CF8E-40FC-9ADD-65C82010A568", "versionEndExcluding": "0.56.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}