Navidrome SQL Injection Vulnerability in API Endpoint

A SQL injection vulnerability has been identified in Navidrome versions 0.55.0 through 0.55.2. The issue arises from inadequate input validation on the 'role' parameter within the '/api/artist' API endpoint. This vulnerability allows attackers to inject arbitrary SQL queries, potentially leading to unauthorized access to the backend database and exposure of sensitive user information. The vulnerability has been confirmed to affect SQLite databases, with exploitation demonstrated using SQLite-specific payloads.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands, extract or manipulate sensitive data such as user records and playlists, and potentially escalate privileges or disrupt service availability.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/api/artist' endpoint with a crafted 'role' parameter that includes malicious SQL payloads. This can be done using a tool like sqlmap, targeting the SQLite database.

Remediation

Users can upgrade to Navidrome version 0.56.0, which addresses this vulnerability.