CVE-2025-48948 – CVE-2025-48948 is an authorization bypass vulne... (How to Fix)

Q: What is the severity of CVE-2025-48948?

CVE-2025-48948 has a CVSS score of 6.5 (MEDIUM). CVE-2025-48948 is an authorization bypass vulnerability in Navidrome music server where authenticated regular users can perform administrator-only transcoding configuration operations. This allows unauthorized creation, modification, and deletion of transcoding settings. All Navidrome instances with regular user accounts and transcoding enabled are affected.

📋 TL;DR

CVE-2025-48948 is an authorization bypass vulnerability in Navidrome music server where authenticated regular users can perform administrator-only transcoding configuration operations. This allows unauthorized creation, modification, and deletion of transcoding settings. All Navidrome instances with regular user accounts and transcoding enabled are affected.

💻 Affected Systems

Products:

Navidrome

Versions: All versions prior to 0.56.0

Operating Systems: All platforms running Navidrome

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with regular user accounts and transcoding functionality enabled.

📦 What is this software?

Navidrome by Navidrome

View all CVEs affecting Navidrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious regular user could modify transcoding settings to execute arbitrary code, potentially leading to full system compromise if transcoding commands are not properly sanitized.

🟠

Likely Case

Regular users gain unauthorized administrative access to transcoding configuration, potentially disrupting service availability or altering audio quality settings.

🟢

If Mitigated

Limited to unauthorized transcoding configuration changes without escalation to full administrative privileges or system compromise.

🌐 Internet-Facing: MEDIUM - Requires authenticated access, but internet-facing instances with user accounts are vulnerable to credential-based attacks.

🏢 Internal Only: MEDIUM - Internal users with regular accounts can exploit this to gain unauthorized administrative privileges for transcoding operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated regular user access and knowledge of transcoding configuration endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.56.0

Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3

Restart Required: Yes

Instructions:

1. Backup your Navidrome configuration and database. 2. Stop the Navidrome service. 3. Update to version 0.56.0 using your package manager or by downloading from GitHub releases. 4. Restart the Navidrome service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Transcoding

all

Temporarily disable transcoding functionality to prevent exploitation of this vulnerability

Edit navidrome.toml and set EnableTranscoding = false
Restart Navidrome service

Restrict User Access

all

Remove or disable regular user accounts until patching can be completed

Edit users.toml or database to disable non-admin accounts
Restart Navidrome service

🧯 If You Can't Patch

Disable transcoding functionality completely in configuration
Remove all regular user accounts and operate with admin-only access

🔍 How to Verify

Check if Vulnerable:

Check Navidrome version via web interface or configuration file. If version is below 0.56.0 and transcoding is enabled, the system is vulnerable.

Check Version:

Check the About section in Navidrome web interface or examine the server startup logs

Verify Fix Applied:

Verify version is 0.56.0 or higher via web interface or configuration. Test that regular users cannot access transcoding configuration endpoints.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /api/transcoding endpoints
Transcoding configuration changes from non-admin user accounts
HTTP 200 responses on admin-only endpoints from regular users

Network Indicators:

POST/PUT/DELETE requests to /api/transcoding/* from non-admin user sessions
Unusual transcoding-related API calls

SIEM Query:

source="navidrome" AND (uri_path="/api/transcoding" OR uri_path="/api/transcoding/*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2025-48948

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

EPSS Score: 0.07% exploit probability (20.9th percentile)

Published: May 30, 2025

Last Updated: August 26, 2025

🔗 References

https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8 Patch
https://github.com/navidrome/navidrome/pull/4096 Issue Tracking
https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48948, you might also want to check these: