CVE-2025-48949
📋 TL;DR
CVE-2025-48949 is a critical SQL injection vulnerability in Navidrome music server affecting versions 0.55.0 through 0.55.2. Attackers can exploit improper input validation in the API's role parameter to execute arbitrary SQL queries, potentially accessing sensitive user data and database contents. All users running affected versions are vulnerable.
💻 Affected Systems
- Navidrome
📦 What is this software?
Navidrome by Navidrome
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, personal information, and music metadata; potential remote code execution on the database server.
Likely Case
Unauthorized access to user data, music collection information, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper network segmentation and database permissions, but still significant risk of data exposure.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized; exploitation requires API access but no authentication to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.56.0
Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r
Restart Required: Yes
Instructions:
1. Stop Navidrome service. 2. Backup configuration and database. 3. Update to version 0.56.0 using your package manager or manual installation. 4. Restart Navidrome service. 5. Verify functionality.
🔧 Temporary Workarounds
API Endpoint Restriction
allBlock access to the vulnerable /api/artist endpoint using web server or firewall rules.
# Example nginx location block
location /api/artist { deny all; }
# Example Apache .htaccess
<Location "/api/artist">
Require all denied
</Location>
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns targeting the role parameter.
# ModSecurity rule example
SecRule ARGS:role "@detectSQLi" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network access controls to limit API endpoint exposure to trusted sources only.
- Deploy database monitoring and alerting for unusual SQL query patterns.
🔍 How to Verify
Check if Vulnerable:
Check Navidrome version via web interface or configuration file; versions 0.55.0-0.55.2 are vulnerable.Check Version:
Check navidrome.toml or web interface; or run: grep version /path/to/navidrome/config/navidrome.tomlVerify Fix Applied:
Confirm version is 0.56.0 or higher and test API endpoint with SQL injection payloads (in safe environment).📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed API requests to /api/artist with SQL patterns
- Unexpected database errors in application logs
Network Indicators:
- HTTP requests to /api/artist with SQL keywords in parameters
- Unusual database connection patterns from application server
SIEM Query:
source="web_logs" AND uri="/api/artist" AND (param="role" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;)")