GHSA-58vj-cv5w-v4v6: Navidrome has Multiple SQL Injections and ORM Leak

September 20, 2024

Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak).

Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections.

Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username.

References

github.com/advisories/GHSA-58vj-cv5w-v4v6
github.com/navidrome/navidrome
github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9
github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6

Code Behaviors & Features

Detect and mitigate GHSA-58vj-cv5w-v4v6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →