CVE-2025-60427
📋 TL;DR
LibreTime 3.0.0-alpha.10 and earlier versions have a broken access control vulnerability where users with DJ role can access analytics data they shouldn't have permission to view. This allows unauthorized retrieval of station-wide metrics through the Web UI or direct API calls, resulting in information disclosure to less privileged users.
💻 Affected Systems
- LibreTime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DJ users could access sensitive analytics data about station performance, user activity, and operational metrics that should be restricted to administrators, potentially enabling further attacks or competitive intelligence gathering.
Likely Case
DJ users accidentally or intentionally viewing analytics dashboards and metrics they shouldn't have access to, leading to information disclosure about station operations.
If Mitigated
With proper role-based access controls, only authorized administrators can access analytics data, maintaining proper data segregation between user roles.
🎯 Exploit Status
Exploitation requires a valid DJ account. Attackers can use the Web UI or make direct API calls to analytics endpoints without proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue #1251 for latest patched version
Vendor Advisory: https://github.com/libretime/libretime/issues/1251
Restart Required: No
Instructions:
1. Update LibreTime to the latest version that includes the fix. 2. Verify that role-based permissions are properly enforced for analytics endpoints. 3. Review and update user role assignments if necessary.
🔧 Temporary Workarounds
Temporary Access Restriction
allManually restrict access to analytics endpoints at the web server or application firewall level
# Example nginx location block to restrict /api/v2/analytics/
location /api/v2/analytics/ {
deny all;
# Or implement IP-based restrictions
}
🧯 If You Can't Patch
- Implement network segmentation to restrict DJ role users from accessing analytics endpoints
- Add additional authentication layer or web application firewall rules to block unauthorized analytics API calls
🔍 How to Verify
Check if Vulnerable:
1. Log in as a DJ role user. 2. Attempt to access analytics data via Web UI or direct API calls to /api/v2/analytics/ endpoints. 3. If successful, the system is vulnerable.Check Version:
Check LibreTime version in web interface or run: grep 'version' /path/to/libretime/config filesVerify Fix Applied:
1. After patching, log in as DJ role user. 2. Attempt to access analytics endpoints. 3. Verify access is properly denied with appropriate authorization error.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to analytics endpoints by non-admin users
- DJ role users accessing /api/v2/analytics/ paths
- 403 errors followed by successful 200 responses to analytics endpoints
Network Indicators:
- API calls to analytics endpoints from non-admin user accounts
- Unusual analytics data retrieval patterns from DJ accounts
SIEM Query:
source="libretime" AND (uri_path="/api/v2/analytics/*" OR endpoint="analytics") AND user_role="DJ" AND response_code=200