Audiobookshelf OIDC Callback URL Vulnerability Leading to Token Exfiltration and Account Takeover

A vulnerability in Audiobookshelf versions 2.6.0 through 2.26.3 allows for improper handling of redirect callback URLs during OpenID Connect (OIDC) authentication. This flaw enables an attacker to create a login link that directs Audiobookshelf to store a malicious callback URL in a cookie. After authentication, the application redirects the user to this attacker-controlled URL, including sensitive OIDC tokens as query parameters. This exploitation allows the attacker to capture the victim's tokens, leading to a complete account takeover. If the compromised account belongs to an administrator, the attacker can create permanent admin users. Additionally, the leaked tokens can be found in browser history, Referer headers, and server logs.

Impact

Exploitation of this vulnerability allows for full account takeover, with the ability to create persistent admin users if the victim is an administrator.

Reproduction

To reproduce this vulnerability, first ensure that Audiobookshelf is running with OIDC enabled. Then, send a login link that includes a malicious callback URL to a user. Once the user authenticates, Audiobookshelf will redirect to the attacker's URL with the OIDC tokens appended as query parameters. The attacker can then capture these tokens and use them to access the user's account.

Remediation

Users should update to Audiobookshelf version 2.28.0, where this vulnerability has been fixed.