CVE-2024-56362 – Navidrome versions before 0.54.1 store JWT secr... (How to Fix)

Q: What is the severity of CVE-2024-56362?

CVE-2024-56362 has a CVSS score of 7.1 (HIGH). Navidrome versions before 0.54.1 store JWT secrets in plaintext in the database file, allowing anyone with database access to steal authentication tokens. This affects all Navidrome installations using vulnerable versions. Attackers could impersonate users or gain unauthorized access to the music streaming service.

📋 TL;DR

Navidrome versions before 0.54.1 store JWT secrets in plaintext in the database file, allowing anyone with database access to steal authentication tokens. This affects all Navidrome installations using vulnerable versions. Attackers could impersonate users or gain unauthorized access to the music streaming service.

💻 Affected Systems

Products:

Navidrome

Versions: All versions before 0.54.1

Operating Systems: All platforms running Navidrome

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the database storage mechanism.

📦 What is this software?

Navidrome by Navidrome

View all CVEs affecting Navidrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user accounts, unauthorized access to music libraries, and potential privilege escalation to administrative functions.

🟠

Likely Case

Unauthorized access to user accounts and music collections by attackers with database file access.

🟢

If Mitigated

Limited impact if database files are properly secured with strict file permissions and access controls.

🌐 Internet-Facing: MEDIUM - While the database file shouldn't be directly internet-accessible, web application vulnerabilities could expose it.

🏢 Internal Only: HIGH - Internal attackers or compromised systems with database file access can easily extract secrets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the navidrome.db file. Attack complexity is low once file access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.54.1

Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8

Restart Required: Yes

Instructions:

1. Backup your current Navidrome installation and database. 2. Download and install Navidrome version 0.54.1 or later. 3. Restart the Navidrome service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Secure Database File Permissions

linux

Restrict access to the navidrome.db file to only the Navidrome service user

chmod 600 /path/to/navidrome.db
chown navidrome:navidrome /path/to/navidrome.db

Database File Encryption

all

Use filesystem encryption or database encryption tools to protect the database file

🧯 If You Can't Patch

Implement strict file permissions on navidrome.db (read/write for service user only)
Monitor access to the database file and alert on unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check if JWT secret is stored in plaintext in property table: sqlite3 navidrome.db 'SELECT * FROM property WHERE id="jwt.secret";'

Check Version:

Check Navidrome web interface or run: navidrome --version

Verify Fix Applied:

After patching, verify the secret is no longer stored in plaintext using the same SQL query

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to database files
Unexpected SQL queries to property table

Network Indicators:

Unusual authentication patterns
Multiple failed login attempts followed by successful access

SIEM Query:

file_access WHERE file_path LIKE '%navidrome.db' AND user NOT IN ('navidrome', 'expected_service_user')

📊 Metadata

CVE ID: CVE-2024-56362

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-312

Published: December 23, 2024

Last Updated: August 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56362, you might also want to check these: