7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56362

GHSA ID

GHSA-xwx7-p63r-2rj8

EPSS Score

0.02237%

CWE

CWE-312

Published

12/23/2024

Updated

1/15/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-56362

CVE-2024-56362:
Navidrome Stores JWT Secret in Plaintext in navidrome.db

Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could:

Forge valid tokens to impersonate users, including administrative accounts.
Gain unauthorized access to sensitive data or perform privileged actions. This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56362

GHSA ID

GHSA-xwx7-p63r-2rj8

EPSS Score

0.02237%

CWE

CWE-312

Published

12/23/2024

Updated

1/15/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/navidrome/navidrome	go	<= 0.53.3	0.54.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from cleartext storage of the JWT secret. The createJWTSecret function in server/initial_setup.go was directly responsible for writing the secret to the database in plaintext during initial setup. The auth.Init function in core/auth/auth.go perpetuated the risk by using the plaintext secret without encryption/decryption mechanisms. The commit diff shows these functions were modified/removed in the patch (replaced with encrypted storage/retrieval), confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

N*vi*rom* stor*s t** JWT s**r*t in pl*int*xt in t** `n*vi*rom*.**` **t***s* *il* un**r t** `prop*rty` t**l*. T*is pr**ti** intro*u**s * s**urity risk ****us* *nyon* wit* ****ss to t** **t***s* *il* **n r*tri*v* t** s**r*t. T** JWT s**r*t is *riti**l

Reasoning

T** vuln*r**ility st*ms *rom *l**rt*xt stor*** o* t** JWT s**r*t. T** `*r**t*JWTS**r*t` *un*tion in `s*rv*r/initi*l_s*tup.*o` w*s *ir**tly r*sponsi*l* *or writin* t** s**r*t to t** **t***s* in pl*int*xt *urin* initi*l s*tup. T** `*ut*.Init` *un*tion

7.1

Basic Information

Concerned about an active attack path?

CVE-2024-56362: Navidrome Stores JWT Secret in Plaintext in navidrome.db

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-56362:
Navidrome Stores JWT Secret in Plaintext in navidrome.db

Vulnerability Intelligence
Miggo AI