216.73.217.86

CVE-2025-48948

· Published 30/05/2025 20:15 · Modified 30/05/2025 20:15

Labels: CVE-2025-48948 2025-05-30CVE-2025-48948CWE-863[email protected]

Essential information

Published
30/05/2025 20:15
Modified
30/05/2025 20:15
Author
Creator
CVSS
7.4 HIGH (v3) 7.4 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
navidrome / navidrome cpe:2.3:a:navidrome:navidrome:<0.56.0:*:*:*:*:*:*:*

References