Authentication Bypass in Audiobookshelf Affected by Regex Pattern Flaw
CVE-2025-25205

8.2HIGH

Key Information:

Vendor: Advplyr
Status: Audiobookshelf
Vendor: CVE Published:; 12 February 2025

What is CVE-2025-25205?

Audiobookshelf, a self-hosted audiobook and podcast server, has a flaw in its authentication logic that permits unauthenticated requests to match unanchored regex patterns in URLs. This issue impacts versions 2.17.0 through 2.19.0, allowing attackers to create specially crafted URLs to partially bypass authentication. Additionally, this vulnerability could potentially cause server crashes under specific conditions, leading to a denial of service and exposing sensitive data. The vulnerability has been addressed in version 2.19.1.

Affected Version(s)

audiobookshelf >= 2.17.0, < 2.19.1

References

https://github.com/advplyr/audiobookshelf/security/adviso...

x_refsource_CONFIRM

https://github.com/advplyr/audiobookshelf/pull/3584

x_refsource_MISC

https://github.com/advplyr/audiobookshelf/commit/bf840727...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 3, 2025

Advplyr

What is CVE-2025-25205?

Affected Version(s)

References

CVSS V3.1

Timeline