Audiobookshelf Incorrect Authorization Vulnerability in Bulk Download Endpoint Allowing Cross-Library File Exfiltration

A vulnerability in Audiobookshelf versions prior to 2.32.2 allows authenticated users with download permissions to exfiltrate files from libraries they do not have access to. The issue arises in the 'GET /api/libraries/:id/download' endpoint, which fails to properly scope downloaded items to the specified library. Instead, it retrieves items based solely on attacker-provided IDs, enabling access to unauthorized libraries' contents. This flaw is particularly concerning as it undermines the application's access control model, allowing for bulk data exfiltration from multiple libraries with a single request.

Impact

Exploitation of this vulnerability leads to unauthorized access to and exfiltration of full file contents, including audiobooks, podcasts, ebooks, and associated metadata, from libraries that the user is explicitly denied access to. This breach of confidentiality also bypasses the application's per-library permission model for bulk downloads, allowing for large-scale data exfiltration.

Reproduction

To reproduce this vulnerability, an authenticated user with download permissions must send a request to the 'GET /api/libraries/:id/download' endpoint. The 'id' parameter must be a library the user has access to, but the 'ids' query parameter can include item IDs from other libraries, including those the user is denied access to. The response will contain the requested files from the unauthorized library, demonstrating the access control bypass.

Remediation

Users are advised to update to Audiobookshelf version 2.32.2, where this vulnerability has been fixed.