Published Date: December 24, 2024
Package | Affected Versions | Patched Versions | Severity |
---|---|---|---|
📦 github.com/navidrome/navidrome (Go) | <= 0.53.3 | 0.54.1 | High |
Description
The Problem
Navidrome stores the JWT secret in plaintext in the
navidrome.db
database file under the property
table. This secret is vital for authentication and authorization. If someone gains access to the database file, they can easily retrieve the JWT secret.Why It’s a Big Deal
With access to the JWT secret, an attacker could:
- Forge valid tokens to impersonate users, including admins.
- Access sensitive data without permission.
- Perform privileged actions within the application.
This issue becomes even more dangerous if the database file isn’t well-protected.
Patches & Workarounds
How to Fix It
- Update Navidrome: Upgrade to version 0.54.1 or later, where this vulnerability has been patched.
chmod 600 /path/to/navidrome.db
chown navidrome:navidrome /path/to/navidrome.db
Rotate Secrets: After updating, regenerate your JWT secret to ensure old secrets are no longer valid. Update the configuration file if needed.