CVE-2025-48949: 
NixOS vulnerability analysis and mitigation

Navidrome, an open source web-based music collection server and streamer, was found to contain a critical SQL injection vulnerability (CVE-2025-48949) discovered on May 29, 2025. The vulnerability affects versions 0.55.0 through 0.55.2 and is related to improper input validation on the role parameter within the API endpoint /api/artist (GitHub Advisory).

The vulnerability stems from improper input validation on the role parameter within the API endpoint /api/artist, allowing attackers to inject arbitrary SQL queries into the SQLite database backend. The vulnerability has been classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command. It received a CVSS v4.0 score of 8.9 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (NVD, GitHub Advisory).

Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to the backend database. Attackers can extract or manipulate sensitive data, including user records and playlists, and potentially escalate privileges or disrupt service availability (GitHub Advisory).

Users are strongly advised to upgrade to Navidrome version 0.56.0, which contains a patch for this vulnerability. The fix includes proper validation of the role parameter against a predefined list of allowed values (GitHub Commit, GitHub Advisory).