CVE-2025-48949

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6	Patch
https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*

History

26 Aug 2025, 14:12

Type	Values Removed	Values Added
First Time		Navidrome Navidrome navidrome
Summary		(es) Navidrome es un servidor y transmisor de música de código abierto basado en la web. Las versiones 0.55.0 a 0.55.2 presentan una vulnerabilidad debido a una validación de entrada incorrecta en el parámetro `role` dentro del endpoint de la API `/api/artist`. Los atacantes pueden explotar esta vulnerabilidad para inyectar consultas SQL arbitrarias, lo que podría obtener acceso no autorizado a la base de datos del backend y comprometer información confidencial del usuario. La versión 0.56.0 incluye un parche para solucionar este problema.
References	~~() https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6 -~~	() https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6 - Patch
References	~~() https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r -~~	() https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r - Vendor Advisory
CPE		cpe:2.3:a:navidrome:navidrome::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

30 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 20:15

Updated : 2025-08-26 14:12

NVD link : CVE-2025-48949

Mitre link : CVE-2025-48949

CVE.ORG link : CVE-2025-48949

JSON object : View

Products Affected

navidrome

navidrome

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.8 /10