← Signals
- audiobookshelf
- auth-bypass
- cve-2025-25205
- metasploit
- scanner
news
Audiobookshelf Unauthenticated API Auth Bypass Scanner (CVE-2025-25205)
Metasploit auxiliary scanner detects unanchored regex auth bypass on /api/libraries — versions 2.17.0–2.19.0.
Summary
Audiobookshelf versions 2.17.0 – 2.19.0 ship an unauthenticated API authentication bypass (CVE-2025-25205; fixed 2.19.1) from unanchored regex matching on req.originalUrl vs req.path in server/Auth.js. Rapid7's Metasploit module auxiliary/scanner/http/audiobookshelf_auth_bypass (PR #21565) detects exposed instances via differential checks on /api/libraries.
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2025-25205 |
| Weakness | Unanchored regex on req.originalUrl vs req.path in server/Auth.js |
| Bypass primitive | Append whitelisted substring in query, e.g. /api/libraries?r=/api/items/1/cover |
| Scanner endpoint | Differential check on /api/libraries (crash-safe; avoids DoS routes) |
| Fixed version | 2.19.1 (anchored patterns + path matching) |
Attack Chain
GET /api/libraries → 401 (baseline)
GET /api/libraries?r=/api/items/1/cover → 200/500 (handler runs without user)
Patched server → 401 to both
Some routes referencing req.user without a session can crash the Node process (reflective DoS). The Metasploit module deliberately avoids those paths.
Impact
- Confidentiality — protected library metadata reachable without credentials on vulnerable builds.
- Availability — crash-prone routes when auth bypass hits handlers expecting
req.user. - Mass detection — scanner module lowers bar for identifying exposed self-hosted media servers.
Mitigation
- Upgrade Audiobookshelf to 2.19.1+.
- Restrict network access to admin/API ports; do not expose ABS to the open internet without auth hardening.
- WAF rule: flag
/api/librariesrequests with cover/image whitelist substrings in query parameters.