Kavita Missing Authentication Vulnerability in ReaderController Image Endpoint Allowing Unauthenticated Access to Page Images

A vulnerability exists in Kavita reading server versions prior to 0.9.0, where the ReaderController.GetImage endpoint allows unauthenticated access to page images from any chapter in any library. The endpoint, which is marked with [AllowAnonymous], accepts an apiKey parameter that is never validated. This lack of authentication enables an unauthenticated attacker to easily enumerate and access all content on the server, as chapter IDs are sequential integers. The vulnerability is present in Kavita versions through 0.8.9.1.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive image data, allowing an attacker to read page images from every chapter across all libraries on the Kavita server, regardless of library access restrictions.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated HTTP request to the '/api/Reader/image' endpoint. Include a 'chapterId' and 'page' number in the request. The 'apiKey' parameter can be any arbitrary string, as it is not validated. The response will contain the requested page image, demonstrating the unauthorized access.

Remediation

Users are advised to update to Kavita version 0.9.0 or later, where this vulnerability has been fixed.