Release v0.54.5 · navidrome/navidrome

This seems quite serious, I'll definitely be reading the CVE once it's published. Luckily, I noticed the github notification of the release after only a couple of hours.

edit: I read the advisory and it wasn't too bad in terms of attacker access:

Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.

2 comments

This seems quite serious, I'll definitely be reading the CVE once it's published. Luckily, I noticed the github notification of the release after only a couple of hours.
edit: I read the advisory and it wasn't too bad in terms of attacker access:
Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.
I wish the web ui supported jukebox mode