Advisories for Golang/Github.com/Navidrome/Navidrome package

2024
2023

Authentication bypass vulnerability in navidrome's subsonic endpoint

Summary A security vulnerability has been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". The vulnerability can only be exploited on instances that have never been restarted. Details Navidrome supports an extension to the subsonic authentication scheme, where a JWT can be provided using a jwt …

2022