First published: Mon Dec 23 2024(Updated: )
Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: - Forge valid tokens to impersonate users, including administrative accounts. - Gain unauthorized access to sensitive data or perform privileged actions. This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured. ![image](https://github.com/user-attachments/assets/29aae867-f21f-4d70-bda0-d2bb87d754d9)
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/navidrome/navidrome | <=0.53.3 | 0.54.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.