CVE-2025-27112

CVE-2025-27112 is an authentication bypass vulnerability affecting Navidrome, an open-source web-based music collection server and streamer. The issue resides in certain Subsonic API endpoints and impacts versions starting from 0.52.0 up to but not including 0.54.5. Due to a flaw in the authentication check process, an attacker can supply an arbitrary non-existent username paired with a salted hash of an empty password, causing Navidrome to treat the request as authenticated. This grants access to various Subsonic endpoints without valid credentials. The vulnerability is rated at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-287 (Improper Authentication).

An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting requests with a fabricated non-existent username and the salted hash of an empty password, the attacker bypasses authentication and gains read-only access to sensitive data, such as user playlists. Attempts to modify data fail due to insufficient permissions, resulting in "permission denied" errors, which confines the impact to unauthorized information disclosure with limited integrity effects.

The Navidrome security advisory (GHSA-c3p4-vm8f-386p) and the patching commit (287079a9e409fb6b9708ca384d7daa7b5185c1a0) confirm that upgrading to version 0.54.5 resolves the issue by fixing the authentication logic in the affected Subsonic API endpoints. Security practitioners should prioritize updating vulnerable Navidrome instances to mitigate this exposure.