{"uuid": "c95bffa6-32b2-4151-b803-b2f9c901924a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/audiobookshelf_auth_bypass.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"\", \"author\": [\"swiftbird07\", \"Kenneth LaCroix\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module detects Audiobookshelf servers affected by CVE-2025-25205, an\\n          unauthenticated authentication bypass. Affected versions (2.17.0 through\\n          2.19.0) decide whether a GET request may skip authentication by testing an\\n          unanchored regular expression against the request's full original URL,\\n          including the query string, rather than the normalized path. By appending a\\n          query parameter whose value contains a whitelisted substring such as\\n          /api/items/1/cover, an unauthenticated client reaches protected API\\n          endpoints.\\n\\n          The module fingerprints the server and version through the unauthenticated\\n          /status endpoint, then sends two requests to the protected /api/libraries\\n          endpoint: a baseline request that must be rejected with HTTP 401, and a\\n          bypass request carrying the whitelisted substring in its query string. On a\\n          vulnerable server the bypass request is processed instead of rejected, which\\n          this module treats as confirmation. It deliberately avoids endpoints such as\\n          /api/users that crash the server process (the denial-of-service half of this\\n          CVE).\", \"disclosure_date\": \"2025-02-12\", \"fullname\": \"auxiliary/scanner/http/audiobookshelf_auth_bypass\", \"is_install_path\": true, \"mod_time\": \"2026-06-21 11:58:01 +0000\", \"name\": \"Audiobookshelf Unauthenticated API Authentication Bypass Scanner\", \"needs_cleanup\": false, \"notes\": {\"Reliability\": [], \"SideEffects\": [\"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/auxiliary/scanner/http/audiobookshelf_auth_bypass.rb\", \"platform\": \"\", \"post_auth\": false, \"rank\": 300, \"ref_name\": \"scanner/http/audiobookshelf_auth_bypass\", \"references\": [\"CVE-2025-25205\", \"GHSA-pg8v-5jcv-wrvw\", \"URL-https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224\"], \"rport\": 13378, \"session_types\": false, \"targets\": null, \"type\": \"auxiliary\"}", "creation_timestamp": "2026-06-24T15:45:11.078576Z"}