Audiobookshelf
Monthly
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.
Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.
Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.
Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.
Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.
Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Audiobookshelf is an open-source self-hosted audiobook server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.
Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.
Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.
Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.
Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.
Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Audiobookshelf is an open-source self-hosted audiobook server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.