x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-f238-rggp-82m3 #3725
Description
Advisory GHSA-f238-rggp-82m3 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/navidrome/navidrome |
Description:
Summary
A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.
Details
Navidrome supports transcoding functionality which, although disabled by default, should restrict configuration operations to administrators only. However, the application fails to properly validate whether a user has administrative privileges when handling transcoding configuration requests.
The vulnerability exists in the ...
References:
- ADVISORY: GHSA-f238-rggp-82m3
- ADVISORY: GHSA-f238-rggp-82m3
- FIX: navidrome/navidrome@e543855
- FIX: fix(transcoding): restrict transcoding operations to admin users navidrome/navidrome#4096
Cross references:
- github.com/navidrome/navidrome appears in 7 other report(s):
- data/reports/GO-2022-0302.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2022-23857 #302)
- data/reports/GO-2023-2414.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-wq59-4q6r-635r #2414)
- data/reports/GO-2024-2803.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803)
- data/reports/GO-2024-3029.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-hrmx-8jjv-g758 #3029)
- data/reports/GO-2024-3153.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-58vj-cv5w-v4v6 #3153)
- data/reports/GO-2024-3357.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357)
- data/reports/GO-2025-3484.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2025-27112 #3484)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/navidrome/navidrome
non_go_versions:
- introduced: TODO (earliest fixed "0.56.0", vuln range "<= 0.55.2")
vulnerable_at: 0.56.1
summary: Navidrome Transcoding Permission Bypass Vulnerability Report in github.com/navidrome/navidrome
cves:
- CVE-2025-48948
ghsas:
- GHSA-f238-rggp-82m3
references:
- advisory: https://github.com/advisories/GHSA-f238-rggp-82m3
- advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3
- fix: https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8
- fix: https://github.com/navidrome/navidrome/pull/4096
source:
id: GHSA-f238-rggp-82m3
created: 2025-05-29T23:04:22.253016989Z
review_status: UNREVIEWED