CVE-2025-27112: 
NixOS vulnerability analysis and mitigation

Navidrome, an open source web-based music collection server and streamer, contains an authentication bypass vulnerability (CVE-2025-27112) affecting versions 0.52.0 through 0.54.4. The vulnerability was discovered in February 2025 and patched in version 0.54.5 (NVD, GitHub Advisory).

The vulnerability stems from a flaw in the authentication check process within certain Subsonic API endpoints. An attacker can bypass authentication by specifying any arbitrary username that does not exist on the system, along with a salted hash of an empty password. When these conditions are met, Navidrome incorrectly treats the request as authenticated, granting access to various Subsonic endpoints without requiring valid credentials. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The impact of this vulnerability is limited to unauthorized read-only access to various data in Navidrome, including user playlists. While an attacker can bypass authentication, any attempts to modify data fail with a 'permission denied' error due to insufficient permissions. The vulnerability only allows viewing of information without the ability to make changes (GitHub Advisory).

The vulnerability has been patched in Navidrome version 0.54.5. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds have been provided (GitHub Advisory, NVD).