CVE-2024-56362

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.54.1

Description Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could forge valid tokens to impersonate users, including administrative accounts, and gain unauthorized access to sensitive data or perform privileged actions.

Recommendations For versions prior to 0.54.1, update to version 0.54.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the navidrome.db database file to minimize the risk of exploitation. Avoid storing sensitive data in plaintext and ensure the database file is adequately secured.