CVE-2024-28194 – YourSpotify versions before 1.8.0 use a hardcod... (How to Fix)

Q: How do I fix CVE-2024-28194?

1. Backup your current YourSpotify installation and database 2. Stop the YourSpotify service 3. Update to version 1.8.0 using your deployment method (Docker, manual, etc.) 4. Restart the service 5. Verify the update was successful

Q: What is the severity of CVE-2024-28194?

CVE-2024-28194 has a CVSS score of 9.1 (CRITICAL). YourSpotify versions before 1.8.0 use a hardcoded JWT secret, allowing attackers to forge valid authentication tokens for any user. This enables authentication bypass and potential admin account takeover. All self-hosted YourSpotify instances running vulnerable versions are affected.

📋 TL;DR

YourSpotify versions before 1.8.0 use a hardcoded JWT secret, allowing attackers to forge valid authentication tokens for any user. This enables authentication bypass and potential admin account takeover. All self-hosted YourSpotify instances running vulnerable versions are affected.

💻 Affected Systems

Products:

your_spotify

Versions: All versions < 1.8.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using default configuration are vulnerable. The hardcoded JWT secret is embedded in the application code.

📦 What is this software?

Your Spotify by Yooooomi

View all CVEs affecting Your Spotify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the YourSpotify instance, potentially accessing sensitive Spotify listening data, modifying configurations, or compromising the hosting server.

🟠

Likely Case

Unauthorized access to user accounts, viewing private listening history, and potential data exfiltration from the Spotify tracking dashboard.

🟢

If Mitigated

If the instance is behind strong network controls and not internet-facing, risk is limited to internal attackers with network access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the hardcoded secret (publicly disclosed in advisory) and basic JWT manipulation skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-gvcr-g265-j827

Restart Required: Yes

Instructions:

1. Backup your current YourSpotify installation and database
2. Stop the YourSpotify service
3. Update to version 1.8.0 using your deployment method (Docker, manual, etc.)
4. Restart the service
5. Verify the update was successful

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Isolate the YourSpotify instance from untrusted networks
Implement strict network access controls and monitor authentication logs

🔍 How to Verify

Check if Vulnerable:

Check your YourSpotify version. If it's below 1.8.0, you are vulnerable.

Check Version:

Check the YourSpotify web interface or deployment configuration for version information.

Verify Fix Applied:

Confirm version is 1.8.0 or higher and test authentication with new tokens.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Multiple failed login attempts followed by successful login from same IP
Admin account access from unexpected locations

Network Indicators:

Authentication requests with manipulated JWT tokens
Unusual API access patterns

SIEM Query:

Search for authentication events with JWT tokens containing the hardcoded secret or unusual user-agent patterns.

📊 Metadata

CVE ID: CVE-2024-28194

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-798

Published: March 13, 2024

Last Updated: February 12, 2025

🔗 References

https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-gvcr-g265-j827 Exploit,Vendor Advisory
https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-gvcr-g265-j827 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28194, you might also want to check these: