CVE-2025-46338: 
NixOS vulnerability analysis and mitigation

Audiobookshelf, a self-hosted audiobook and podcast server, was found to contain a reflected cross-site scripting (XSS) vulnerability prior to version 2.21.0. The vulnerability was discovered on April 27, 2025, and assigned identifier CVE-2025-46338. The issue affects the /api/upload endpoint where improper input handling of the libraryId field allows attackers to perform XSS attacks (GitHub Advisory).

The vulnerability stems from insufficient input validation in the /api/upload endpoint. When processing upload requests, the server directly reflects unsanitized user input from the libraryId field in error messages. The CVSS v3.1 base score is 6.1 (MEDIUM), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in a victim's browser context. This could potentially lead to session hijacking, credential theft, or further exploitation of the affected system. The attack requires user interaction as it is a reflected XSS vulnerability (GitHub Advisory).

The vulnerability has been patched in version 2.21.0 of Audiobookshelf. The fix includes proper input validation and sanitization of the libraryId field. Users are advised to upgrade to version 2.21.0 or later. The patch can be found in commit 35870a0, which updates the upload API endpoint to validate request body parameters (GitHub Patch).