CVE-2022-23857

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.47.5

Description The issue allows for SQL injection attacks when processing crafted Smart Playlists. An authenticated user could exploit this to extract arbitrary data from the database, including the user table, which contains sensitive information such as users' encrypted passwords.

Recommendations For versions prior to 0.47.5, update to version 0.47.5 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted Smart Playlists until the update is applied.