Skip to main content

Navidrome CVE-2024-56362

MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2024-12-23 security-advisories@github.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 23, 2024 - 18:15 nvd
MEDIUM 5.5

DescriptionNVD

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.

AnalysisAI

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-312. Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1. Affected products include: Navidrome.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-27112 MEDIUM POC
6.9 Feb 24

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 6.9), this vulne

CVE-2024-47062 CRITICAL POC
9.4 Sep 20

Navidrome is an open source web-based music collection server and streamer. Rated critical severity (CVSS 9.4), this vul

CVE-2023-51442 HIGH POC
8.6 Dec 21

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.6), this vulnera

CVE-2026-25579 MEDIUM POC
6.5 Feb 04

Navidrome versions prior to 0.60.0 allow authenticated users to trigger denial of service by requesting image resizing w

CVE-2026-25578 MEDIUM POC
6.1 Feb 04

Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allow

CVE-2024-41259 CRITICAL
9.1 Aug 01

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's

CVE-2024-32963 MEDIUM POC
4.2 May 01

Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 4.2), this vulne

CVE-2025-48949 HIGH
8.9 May 30

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.9), this vulnera

CVE-2025-48948 HIGH POC
7.4 May 30

Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 7.4), this vulnera

Share

CVE-2024-56362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy