CVE-2025-48949

216.73.216.6

· Published 30/05/2025 20:15 · Modified 30/05/2025 20:15

Labels: CVE-2025-48949 2025-05-30 CVE-2025-48949 CWE-89 [email protected]

Essential information

Published: 30/05/2025 20:15
Modified: 30/05/2025 20:15
Author: —
Creator: —
CVSS: 8.9 HIGH (v3) 8.9 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
navidrome / navidrome	`cpe:2.3:a:navidrome:navidrome:0.55.0:::::::*`
navidrome / navidrome	`cpe:2.3:a:navidrome:navidrome:0.55.1:::::::*`
navidrome / navidrome	`cpe:2.3:a:navidrome:navidrome:0.55.2:::::::*`