Listen to this Post
How the CVE Works
The vulnerability stems from improper privilege validation in Navidrome’s transcoding API endpoints. When an authenticated user (with `”adm”:false` in their JWT token) sends requests to /api/transcoding, the server processes them without verifying administrative rights. This allows regular users to create, modify, or delete transcoding configurations—actions meant only for admins. The flaw lies in missing middleware checks before executing these operations, enabling privilege escalation.
DailyCVE Form
Platform: Navidrome
Version: <0.50.0
Vulnerability: Auth Bypass
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by Q3 2024
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl -X POST 'http://target/api/transcoding' \
-H 'Authorization: Bearer JWT_REGULAR_USER_TOKEN' \
-H 'Content-Type: application/json' \
-d '{"name":"exploit","command":"malicious_cmd"}'
2. Verify Bypass:
Check response for `HTTP 200` and confirm transcoding rules update.
Mitigation:
1. Temporary Fix:
Disable transcoding via `ND_ENABLETRANSCODING=false` in config.
2. Patch Check:
Monitor Navidrome’s GitHub for updates.
Detection:
grep -r "func Transcoding" /path/to/navidrome | grep -v "adminCheck"
Code Fix (Golang Snippet):
func TranscodingMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r http.Request) {
if !user.IsAdmin(r.Context()) {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}
Log Analysis:
journalctl -u navidrome | grep "POST /api/transcoding"
Impact Reduction:
- Restrict API access via reverse proxy rules (e.g., Nginx):
location /api/transcoding { allow ADMIN_IP; deny all; }
References:
- Navidrome GitHub Issue XXX
- CVE-2023-XXXX (Pending)
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
