CVE-2025-48949: Navidrome allows SQL Injection via role parameter

8.9 CVSS

Description

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue.

Classification

CVE ID: CVE-2025-48949

CVSS Base Severity: HIGH

CVSS Base Score: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: navidrome

Product: navidrome

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 23.2% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48949
https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r
https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6

Timeline

2025-05-30 20:40:12 UTC
CVE

Navidrome allows SQL Injection via role parameter