CVE-2024-32963

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.52.0

Description Navidrome is an open source web-based music collection server and streamer. The issue is a parameter tampering vulnerability where an attacker can manipulate parameter values in the HTTP requests, allowing them to impersonate another user. This can be done by changing the parameter values in the body, and the attacker must be able to intercept HTTP traffic for this attack. Each known user is impacted, and an attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated.

Recommendations For Navidrome versions prior to 0.52.0, upgrade to version 0.52.0 to address the issue. As a temporary workaround, consider restricting access to shared playlists and limiting the ability to intercept HTTP traffic. Avoid using shared playlist information to minimize the risk of exploitation. There are no known workarounds for this vulnerability other than upgrading to the fixed version.