CVE-2025-25205
📋 TL;DR
A vulnerability in Audiobookshelf versions 2.17.0 through 2.19.0 allows unauthenticated attackers to bypass authentication by crafting URLs with specific substrings in query parameters. This can lead to unauthorized access to protected data or server crashes. All self-hosted Audiobookshelf instances running affected versions are vulnerable.
💻 Affected Systems
- Audiobookshelf
📦 What is this software?
Audiobookshelf by Audiobookshelf
⚠️ Risk & Real-World Impact
Worst Case
Complete server crash leading to denial of service, plus unauthorized access to all protected audiobook and podcast data.
Likely Case
Unauthorized access to some protected media files and metadata, potentially causing data leakage.
If Mitigated
Limited impact with proper network segmentation and monitoring, but authentication bypass still possible.
🎯 Exploit Status
Exploitation requires crafting specific URL patterns but does not require authentication or special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.1
Vendor Advisory: https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw
Restart Required: Yes
Instructions:
1. Stop the Audiobookshelf service. 2. Update to version 2.19.1 using your package manager or manual installation. 3. Restart the Audiobookshelf service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Audiobookshelf instance to trusted IP addresses only.
Use firewall rules to limit access (e.g., iptables, ufw, cloud security groups)
Reverse Proxy Authentication
allPlace Audiobookshelf behind a reverse proxy with additional authentication layer.
Configure nginx/apache with basic auth or other authentication methods
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Audiobookshelf from untrusted networks
- Deploy a web application firewall (WAF) with rules to block suspicious URL patterns containing '/api/' in query parameters
🔍 How to Verify
Check if Vulnerable:
Check Audiobookshelf version via web interface or configuration files. Versions 2.17.0 through 2.19.0 are vulnerable.Check Version:
Check web interface settings or examine package.json/version files in installation directoryVerify Fix Applied:
After updating, confirm version is 2.19.1 or later. Test authentication by attempting to access protected endpoints without credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/ endpoints from unauthenticated users
- Server crash logs following requests with query parameters containing '/api/' patterns
Network Indicators:
- HTTP requests with query parameters containing '/api/' substrings from unauthenticated sources
SIEM Query:
source="audiobookshelf" AND (url="*?r=*/api/*" OR status=500) AND user="anonymous"🔗 References
- https://github.com/advplyr/audiobookshelf/blob/1a3d70d04100924d41391acb55bd8ddca486a4fa/server/Auth.js#L17-L41
- https://github.com/advplyr/audiobookshelf/commit/bf8407274e3ee300af1927ee660d078a7a801e1c
- https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224
- https://github.com/advplyr/audiobookshelf/pull/3584
- https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-pg8v-5jcv-wrvw
