CVE-2025-25205
Published: 12 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
Audiobookshelf, a self-hosted audiobook and podcast server, is affected by CVE-2025-25205 in versions starting from 2.17.0 and prior to 2.19.1. The vulnerability arises from a flaw in the authentication bypass logic, where unauthenticated requests can match certain unanchored regex patterns in the URL. This issue, published on 2025-02-12, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and maps to CWEs 202 (sensitive data exposure), 287 (improper authentication), and 400 (uncontrolled resource consumption).
Unauthenticated attackers with network access can exploit this vulnerability by crafting malicious URLs containing substrings like "/api/items/1/cover" within a query parameter, such as ?r=/api/items/1/cover. This enables partial bypass of authentication, potentially disclosing otherwise protected data. In certain routes, the flaw can also cause server crashes if downstream code assumes an authenticated user object is present, leading to denial of service.
The vulnerability is addressed in Audiobookshelf version 2.19.1. Mitigation details are outlined in the GitHub security advisory (GHSA-pg8v-5jcv-wrvw), pull request #3584, and commits bf8407274e3ee300af1927ee660d078a7a801e1c and ec6537656925a43871b07cfee12c9f383844d224, with the affected authentication logic visible in server/Auth.js lines 17-41.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an authentication bypass in a public-facing web server (Audiobookshelf) via flawed regex URL matching, directly enabling exploitation of the application for unauthorized data access and DoS via server crashes in certain routes.