CVE-2023-51442 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2023-51442?

CVE-2023-51442 has a CVSS score of 8.6 (HIGH). This vulnerability allows attackers to bypass authentication in Navidrome's subsonic endpoint using a JWT signed with a hardcoded key. It affects all Navidrome instances running versions before 0.50.2 that haven't been restarted, potentially exposing music collections to unauthorized access.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Navidrome's subsonic endpoint using a JWT signed with a hardcoded key. It affects all Navidrome instances running versions before 0.50.2 that haven't been restarted, potentially exposing music collections to unauthorized access.

💻 Affected Systems

Products:

Navidrome

Versions: All versions before 0.50.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances that have never been restarted. Most instances are vulnerable as documentation recommends leaving /rest/ endpoint unprotected.

📦 What is this software?

Navidrome by Navidrome

View all CVEs affecting Navidrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user accounts and music collections, allowing attackers to access, modify, or delete sensitive media content.

🟠

Likely Case

Unauthorized access to music collections, potentially exposing personal media libraries and metadata.

🟢

If Mitigated

Limited impact if subsonic endpoint is properly protected or instance has been restarted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires knowledge of target username and uses hardcoded JWT key 'not so secret'.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.50.2

Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r

Restart Required: Yes

Instructions:

1. Update Navidrome to version 0.50.2 or later. 2. Restart the Navidrome service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restart Service

linux

Restarting Navidrome mitigates the vulnerability as it only affects instances that have never been restarted.

sudo systemctl restart navidrome

Protect Subsonic Endpoint

all

Add authentication or restrict access to the /rest/ endpoint via reverse proxy or firewall rules.

🧯 If You Can't Patch

Restart the Navidrome service immediately
Implement network-level protection for the /rest/ endpoint

🔍 How to Verify

Check if Vulnerable:

Check if Navidrome version is below 0.50.2 and service hasn't been restarted since installation.

Check Version:

navidrome --version

Verify Fix Applied:

Confirm version is 0.50.2 or later and service has been restarted after update.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with JWT parameter
Failed authentication followed by successful access
Unusual access patterns to /rest/ endpoint

Network Indicators:

HTTP requests to /rest/ with jwt parameter
Authentication bypass attempts

SIEM Query:

source="navidrome" AND (uri_path="/rest/*" AND query_parameters CONTAINS "jwt")

📊 Metadata

CVE ID: CVE-2023-51442

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-287

Published: December 21, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c Patch
https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r Exploit,Vendor Advisory
https://github.com/navidrome/navidrome/commit/1132abb0135d1ecaebc41ed97a1e908a4ae02f7c Patch
https://github.com/navidrome/navidrome/security/advisories/GHSA-wq59-4q6r-635r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51442, you might also want to check these: