Release v0.54.5 · navidrome/navidrome · GitHub (github.com)
from sabreW4K3@lazysoci.al to navidrome@discuss.tchncs.de on 21 Feb 2025 08:18
https://lazysoci.al/post/22376836

This is an important security fix. Please update ASAP. A proper CVE advisory will be published soon and will be linked here.

#navidrome

threaded - newest

Deebster@programming.dev on 21 Feb 2025 11:57 next collapse

This seems quite serious, I’ll definitely be reading the CVE once it’s published. Luckily, I noticed the github notification of the release after only a couple of hours.

edit: I read the advisory and it wasn’t too bad in terms of attacker access:

Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.

vext01@lemmy.sdf.org on 22 Feb 2025 19:24 collapse

I wish the web ui supported jukebox mode