OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • audiobookshelf
  • auth-bypass
  • cve-2025-25205
  • metasploit
  • scanner

news

Audiobookshelf Unauthenticated API Auth Bypass Scanner (CVE-2025-25205)

Metasploit auxiliary scanner detects unanchored regex auth bypass on /api/libraries — versions 2.17.0–2.19.0.

Summary

Audiobookshelf versions 2.17.0 – 2.19.0 ship an unauthenticated API authentication bypass (CVE-2025-25205; fixed 2.19.1) from unanchored regex matching on req.originalUrl vs req.path in server/Auth.js. Rapid7's Metasploit module auxiliary/scanner/http/audiobookshelf_auth_bypass (PR #21565) detects exposed instances via differential checks on /api/libraries.

Key Findings

FindingDetail
CVECVE-2025-25205
WeaknessUnanchored regex on req.originalUrl vs req.path in server/Auth.js
Bypass primitiveAppend whitelisted substring in query, e.g. /api/libraries?r=/api/items/1/cover
Scanner endpointDifferential check on /api/libraries (crash-safe; avoids DoS routes)
Fixed version2.19.1 (anchored patterns + path matching)

Attack Chain

GET /api/libraries                    → 401 (baseline)
GET /api/libraries?r=/api/items/1/cover → 200/500 (handler runs without user)
Patched server                        → 401 to both

Some routes referencing req.user without a session can crash the Node process (reflective DoS). The Metasploit module deliberately avoids those paths.

Impact

  • Confidentiality — protected library metadata reachable without credentials on vulnerable builds.
  • Availability — crash-prone routes when auth bypass hits handlers expecting req.user.
  • Mass detection — scanner module lowers bar for identifying exposed self-hosted media servers.

Mitigation

  1. Upgrade Audiobookshelf to 2.19.1+.
  2. Restrict network access to admin/API ports; do not expose ABS to the open internet without auth hardening.
  3. WAF rule: flag /api/libraries requests with cover/image whitelist substrings in query parameters.

Related Signals

Sources

→ Source