CVE-2025-27112

Summary

CVE-2025-27112 is a vulnerability affecting Navidrome, an open-source music collection server and streamer. In versions 0.52.0 and prior to 0.54.5, a flaw in the authentication check process of certain Subsonic API endpoints allows an attacker to bypass authentication using a non-existent username and an empty password. Navidrome incorrectly treats these requests as authenticated, granting access to read-only data such as user playlists. However, the attacker is unable to modify any data due to insufficient permissions. The vulnerability has been patched in version 0.54.5.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.