{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-28T18:49:07.583Z", "datePublished": "2025-05-30T19:25:41.422Z", "dateUpdated": "2025-05-30T20:44:14.912Z"}, "containers": {"cna": {"title": "Navidrome Transcoding Permission Bypass Vulnerability Report", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3"}, {"name": "https://github.com/navidrome/navidrome/pull/4096", "tags": ["x_refsource_MISC"], "url": "https://github.com/navidrome/navidrome/pull/4096"}, {"name": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8"}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"version": "< 0.56.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-30T19:25:41.422Z"}, "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue."}], "source": {"advisory": "GHSA-f238-rggp-82m3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-30T20:44:04.673537Z", "id": "CVE-2025-48948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T20:44:14.912Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-30T20:44:04.673537Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-30T20:44:10.405Z"}}], "cna": {"title": "Navidrome Transcoding Permission Bypass Vulnerability Report", "source": {"advisory": "GHSA-f238-rggp-82m3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"status": "affected", "version": "< 0.56.0"}]}], "references": [{"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3", "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/navidrome/navidrome/pull/4096", "name": "https://github.com/navidrome/navidrome/pull/4096", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8", "name": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-30T19:25:41.422Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48948", "state": "PUBLISHED", "dateUpdated": "2025-05-30T20:44:14.912Z", "dateReserved": "2025-05-28T18:49:07.583Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-30T19:25:41.422Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "534A6DB5-CF8E-40FC-9ADD-65C82010A568", "versionEndExcluding": "0.56.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue."}, {"lang": "es", "value": "Navidrome es un servidor y transmisor de m\u00fasica de c\u00f3digo abierto basado en la web. Una falla de verificaci\u00f3n de permisos en versiones anteriores a la 0.56.0 permite a cualquier usuario autenticado eludir las comprobaciones de autorizaci\u00f3n y realizar operaciones de configuraci\u00f3n de transcodificaci\u00f3n exclusivas del administrador, como crear, modificar y eliminar ajustes de transcodificaci\u00f3n. En el modelo de amenaza donde se conf\u00eda en los administradores, pero no en los usuarios, esta vulnerabilidad representa un riesgo de seguridad significativo cuando la transcodificaci\u00f3n est\u00e1 habilitada. La versi\u00f3n 0.56.0 corrige el problema."}], "id": "CVE-2025-48948", "lastModified": "2025-08-26T14:17:42.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-30T20:15:43.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/navidrome/navidrome/pull/4096"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-24T09:44:17.517005+00:00", "updated": "2025-06-24T09:44:17.517094+00:00", "vendors": ["navidrome", "navidrome$PRODUCT$navidrome"]}