CVE-2025-25205 - Audiobookshelf Authentication Bypass Flaw: Exploiting Unanchored Regex Patterns for Data Leakage and Denial of Service Attacks

Audiobookshelf serves as an open-source, self-hosted platform for easy management and streaming of audiobooks and podcasts in the user's personal library. With the recent identification of a security vulnerability affecting version 2.17. through 2.19., users could face potential risks if they continue to use the affected versions. This vulnerability, referred to as CVE-2025-25205, allows unauthenticated requests to bypass security measures, leading to possible information disclosure and server crashes.

In this post, we dive deeper into the nature of this vulnerability, look at an example code snippet that exploits it, describe the security implications for an affected server, and highlight the necessary steps to ensure your Audiobookshelf instance remains secure.

Vulnerability Details

The vulnerability occurs due to a flaw in Audiobookshelf's authentication bypass logic, which identifies certain URL patterns. Attackers can craft a URL that includes unanchored regex patterns such as "/api/items/1/cover" in its query parameter (?r=/api/items/1/cover), enabling them to partially bypass authentication.

For example, consider the following code snippet that demonstrates the exploitable flaw in the URL authentication bypass logic:

import re

def authentication_bypass(request_url):
    url_patterns = [r'/api/items/\d+/cover']
    for pattern in url_patterns:
        if re.search(pattern, request_url):
            return True
    return False

# Example of an exploitable URL
request_url = "/api/items?q=/api/items/1/cover"
result = authentication_bypass(request_url)

print("Bypass Result:", result)

In this example, the authentication_bypass() checks if any part of the request URL matches the vulnerable pattern. Since the request URL contains the substring "/api/items/1/cover", the function returns True, thereby granting unintended access.

Exploitation of this vulnerability could lead to information disclosure for otherwise protected data and even, in some cases, server crashes if downstream code expects an authenticated user object. An attacker could use these flaws to obtain unauthorized information, disrupt service, or cause a denial of service (server crash) on the affected Audiobookshelf instance.

Mitigation and Patch

The Audiobookshelf development team has fixed this issue in version 2.19.1. Upgrading to this version by following the "Updating Audiobookshelf" guide is highly recommended.

Users running affected versions of Audiobookshelf should take immediate action to protect their data. It is worthwhile to audit the system for any evidence of unauthorized access, review logs to identify potential incidents, and report any suspicious activity to the appropriate authority.

In summary, CVE-2025-25205 presents a serious risk to the security of any Audiobookshelf server running affected versions between 2.17. and 2.19.. To prevent potential attacks on your system and safeguard your data, updating to version 2.19.1 is critical. Stay vigilant and ensure your Audiobookshelf server remains updated to the latest version, taking advantage of security patches and enhancements.

Original References

1. Audiobookshelf GitHub Repository
2. Updating Audiobookshelf Guide
3. Audiobookshelf Version 2.19.1 Release Notes

Timeline

Published on: 02/12/2025 19:15:21 UTC