CVE-2025-48949

Name of the Vulnerable Software and Affected Versions Navidrome versions 0.55.0 through 0.55.2

Description The issue arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. The vulnerability affects the SQLite database and allows an unauthenticated attacker to execute arbitrary SQL commands, extract or manipulate sensitive data, and potentially escalate privileges or disrupt service availability.

Recommendations For Navidrome versions 0.55.0 through 0.55.2, update to version 0.56.0 to resolve the issue. As a temporary workaround, consider restricting access to the /api/artist API endpoint to minimize the risk of exploitation. Avoid using the role parameter in the affected API endpoint until the issue is resolved.