Описание
Navidrome Transcoding Permission Bypass Vulnerability Report
Summary
A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.
Details
Navidrome supports transcoding functionality which, although disabled by default, should restrict configuration operations to administrators only. However, the application fails to properly validate whether a user has administrative privileges when handling transcoding configuration requests.
The vulnerability exists in the API endpoints that manage transcoding settings. When a regular user sends requests to these endpoints, the application processes them without verifying if the user has administrative privileges, despite the JWT token clearly indicating the user is not an administrator ("adm":false).
The affected endpoints include:
POST /api/transcoding(Create transcoding configuration)PUT /api/transcoding/:id(Update transcoding configuration)DELETE /api/transcoding/:id(Delete transcoding configuration)GET /api/transcoding(List transcoding configurations)
PoC
- Set up Navidrome with transcoding enabled
- Log in as a regular user (non-administrator)
- Send the following HTTP request:
- The request will succeed despite the JWT token clearly indicating the user is not an administrator (
"adm":false) - The same operation can be performed with administrator credentials, confirming that no authorization check is being performed
Impact
This vulnerability allows regular users to modify critical system configurations that should be restricted to administrators only. While Navidrome does not recommend enabling transcoding in production environments, when it is enabled, proper authorization checks should still be enforced.
The security impact includes:
- Privilege Escalation: Regular users can perform administrator-only actions
- System Configuration Tampering: Unauthorized users can modify transcoding settings, potentially affecting system performance or functionality
- Potential Command Injection: Since transcoding settings include command parameters, this could potentially lead to command injection if not properly sanitized
In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled.
Пакеты
github.com/navidrome/navidrome
<= 0.55.2
0.56.0
Связанные уязвимости
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.