Skip to main content

Navidrome CVE-2024-47062

CRITICAL
SQL Injection (CWE-89)
2024-09-20 security-advisories@github.com
9.4
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Sep 20, 2024 - 19:15 cve.org
CRITICAL 9.4

DescriptionCVE.org

Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username. When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with AAA. This results in an SQL query like password LIKE 'AAA%', allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Navidrome is an open source web-based music collection server and streamer. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username. When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with AAA. This results in an SQL query like password LIKE 'AAA%', allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Navidrome. Version information: version 0.53.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-27112 MEDIUM POC
6.9 Feb 24

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 6.9), this vulne

CVE-2023-51442 HIGH POC
8.6 Dec 21

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.6), this vulnera

CVE-2026-25579 MEDIUM POC
6.5 Feb 04

Navidrome versions prior to 0.60.0 allow authenticated users to trigger denial of service by requesting image resizing w

CVE-2026-25578 MEDIUM POC
6.1 Feb 04

Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allow

CVE-2024-41259 CRITICAL
9.1 Aug 01

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's

CVE-2024-32963 MEDIUM POC
4.2 May 01

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 4.2), this vulne

CVE-2024-56362 MEDIUM
5.5 Dec 23

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 5.5), this vulne

CVE-2025-48949 HIGH
8.9 May 30

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.9), this vulnera

CVE-2025-48948 HIGH POC
7.4 May 30

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 7.4), this vulnera

Share

CVE-2024-47062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy