CVE-2025-48949: 
Linux Alpine vulnerability analysis and mitigation

Navidrome, an open source web-based music collection server and streamer, contains a critical SQL injection vulnerability (CVE-2025-48949) in versions 0.55.0 through 0.55.2. The vulnerability was discovered and disclosed on May 29, 2025, affecting the role parameter within the API endpoint /api/artist. The issue has been patched in version 0.56.0 (GitHub Advisory).

The vulnerability stems from improper input validation on the role parameter within the API endpoint /api/artist. The flaw allows attackers to inject arbitrary SQL queries into the SQLite database backend. The vulnerability has been assigned a CVSS v4.0 score of 8.9 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P. The issue is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to the backend database. Attackers can extract or manipulate sensitive data, including user records and playlists, and potentially escalate privileges or disrupt service availability (GitHub Advisory).

Users are strongly advised to upgrade to Navidrome version 0.56.0, which contains a patch for this vulnerability. The fix includes proper validation of the role parameter against a predefined list of allowed values (GitHub Commit).