module
Audiobookshelf Unauthenticated API Authentication Bypass Scanner
| Disclosed | Created |
|---|---|
| Feb 12, 2025 | Jun 23, 2026 |
Disclosed
Feb 12, 2025
Created
Jun 23, 2026
Description
This module detects Audiobookshelf servers affected by CVE-2025-25205, an
unauthenticated authentication bypass. Affected versions (2.17.0 through
2.19.0) decide whether a GET request may skip authentication by testing an
unanchored regular expression against the request's full original URL,
including the query string, rather than the normalized path. By appending a
query parameter whose value contains a whitelisted substring such as
/api/items/1/cover, an unauthenticated client reaches protected API
endpoints.
The module fingerprints the server and version through the unauthenticated
/status endpoint, then sends two requests to the protected /api/libraries
endpoint: a baseline request that must be rejected with HTTP 401, and a
bypass request carrying the whitelisted substring in its query string. On a
vulnerable server the bypass request is processed instead of rejected, which
this module treats as confirmation. It deliberately avoids endpoints such as
/api/users that crash the server process (the denial-of-service half of this
CVE).
unauthenticated authentication bypass. Affected versions (2.17.0 through
2.19.0) decide whether a GET request may skip authentication by testing an
unanchored regular expression against the request's full original URL,
including the query string, rather than the normalized path. By appending a
query parameter whose value contains a whitelisted substring such as
/api/items/1/cover, an unauthenticated client reaches protected API
endpoints.
The module fingerprints the server and version through the unauthenticated
/status endpoint, then sends two requests to the protected /api/libraries
endpoint: a baseline request that must be rejected with HTTP 401, and a
bypass request carrying the whitelisted substring in its query string. On a
vulnerable server the bypass request is processed instead of rejected, which
this module treats as confirmation. It deliberately avoids endpoints such as
/api/users that crash the server process (the denial-of-service half of this
CVE).
Authors
swiftbird07
Kenneth LaCroix
Kenneth LaCroix
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.