Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server.
AnalysisAI
{file_path:path} endpoint. The flaw stems from comparing an attacker-controlled absolute path against the music base path without a trailing separator, so sibling directories sharing the base name's prefix are reachable. No public exploit identified at time of analysis, but the upstream commit publicly discloses the exact bypass technique.
Technical ContextAI
xiaomusic is a Python-based music streaming service (vendor: hanxi) that exposes HTTP routes under /music/ and /picture/ to serve files from a configured base directory. The vulnerability is a textbook CWE-22 (Path Traversal) caused by a classic 'startswith' prefix-check bug in xiaomusic/api/routers/file.py: the code verified that the resolved absolute_file_path started with the configured base directory string but did not append os.sep, so a base of '/srv/music' would also match '/srv/music_secret/' or '/srv/musicbackup/'. The PR #891 fix appends + os.sep to both temp_base and absolute_path comparisons in the music_file handler and in get_picture, confirming the affected CPE cpe:2.3:a:hanxi:xiaomusic:*:*:*:*:*:*:*:*.
RemediationAI
Upstream fix available (commit 88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 via PR #891); a tagged released patched version is not independently confirmed from the input data, so operators should track the hanxi/xiaomusic repository for a post-0.5.7 release and upgrade as soon as it is published, referencing https://github.com/hanxi/xiaomusic/commit/88404da7a283f2c0a796a4cd16bbb6e6aa1f4722 and the VulnCheck advisory https://www.vulncheck.com/advisories/xiaomusic-path-traversal-via-get-music-endpoint. Until then, apply the one-line patch locally to xiaomusic/api/routers/file.py changing the three startswith(base) checks to startswith(base + os.sep) in the music_file and get_picture handlers. Compensating controls: place xiaomusic behind an authenticating reverse proxy or VPN so /music/ and /picture/ endpoints are not reachable by untrusted clients (trade-off: breaks direct mobile/smart-speaker access on untrusted networks); add a reverse-proxy URL filter that rejects requests containing .., URL-encoded %2e%2e, or backslashes on the /music/ and /picture/ paths (trade-off: encoding variants may bypass naive filters); and ensure the music_path directory has no sibling directories whose names share its prefix on the filesystem (trade-off: only a partial mitigation since attackers can still reach files inside legitimate siblings).
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33366
GHSA-5j8p-5rrj-8wjg