Add Audiobookshelf authentication bypass scanner (CVE-2025-25205)#21565
Open
kenlacroix wants to merge 1 commit into
Open
Add Audiobookshelf authentication bypass scanner (CVE-2025-25205)#21565kenlacroix wants to merge 1 commit into
kenlacroix wants to merge 1 commit into
Conversation
Adds an auxiliary/scanner/http module that detects Audiobookshelf servers vulnerable to CVE-2025-25205, an unauthenticated API authentication bypass in versions 2.17.0 through 2.19.0. The module fingerprints the server via the unauthenticated /status endpoint and confirms the bypass with a differential check against /api/libraries. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
kenlacroix
force-pushed
the
audiobookshelf-cve-2025-25205
branch
from
08a60df to
86e971c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
auxiliary/scanner/http/audiobookshelf_auth_bypass, a detection module forCVE-2025-25205 —
an unauthenticated API authentication bypass in Audiobookshelf
(self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1).
Vulnerability
The auth middleware (
server/Auth.js) decides whether aGETmay skip authentication by testingunanchored regexes (
/\/api\/items\/[^/]+\/cover/,/\/api\/authors\/[^/]+\/image/) againstreq.originalUrl— which includes the query string — instead of the normalizedreq.path. Appendinga query value containing one of those substrings (e.g.
/api/libraries?r=/api/items/1/cover) satisfiesthe "auth not needed" check while Express still routes the request to the protected handler. Fixed in
2.19.1 by anchoring the patterns and matching
req.path.What the module does
/statusendpoint./api/libraries: a baseline request that a server normallyrejects with
401, and a bypass request carrying the whitelisted substring. On a vulnerable serverthe bypass is processed instead of rejected (HTTP
200, or500because the handler runs without auser object); a patched server returns
401to both.It intentionally targets
/api/librariesand avoids endpoints such as/api/usersthat crash theserver process (the DoS half of this CVE), so the check is crash-safe.
Verification
Tested against the official image at both a vulnerable and a patched tag (true-positive and
true-negative):
Documentation with full setup and scenarios is included at
documentation/modules/auxiliary/scanner/http/audiobookshelf_auth_bypass.md.Verification Steps
use auxiliary/scanner/http/audiobookshelf_auth_bypassset RHOSTS <target>set RPORT 13378run— the module reports the version and confirms the bypass