CVE-2025-57800
CVE-2025-57800 is a high-severity vulnerability in Audiobookshelf with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-523.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-28630
- Weakness: CWE-523
- Affected product: Audiobookshelf
- Published:
- Last modified:
Description
Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.
Frequently asked questions
- What is CVE-2025-57800?
- Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.
- How severe is CVE-2025-57800?
- CVE-2025-57800 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-57800 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-57800?
- CVE-2025-57800 affects Audiobookshelf. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-57800?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-57800 have an EU (EUVD) identifier?
- Yes. CVE-2025-57800 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-28630.
- When was CVE-2025-57800 published?
- CVE-2025-57800 was published on 2025-08-22 and last updated on 2026-06-17.
References
- https://github.com/advplyr/audiobookshelf/commit/99a3867ce934b797e21e6ba5390d4b679e35f7cb
- https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-vpc2-w73p-39px
Affected products (1)
- cpe:2.3:a:audiobookshelf:audiobookshelf:*:*:*:*:*:*:*:*
More vulnerabilities in Audiobookshelf
- CVE-2025-25205 — High (CVSS 8.2): Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a…
- CVE-2023-47619 — High (CVSS 8.1): Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update…
- CVE-2023-47624 — High (CVSS 7.5): Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, any user (regardless of…
- CVE-2024-43797 — Medium (CVSS 6.3): audiobookshelf is a self-hosted audiobook and podcast server. A non-admin user is not allowed to create libraries (or…
- CVE-2025-46338 — Medium (CVSS 6.1): Audiobookshelf is a self-hosted audiobook and podcast server. Prior to version 2.21.0, an improper input handling…
- CVE-2026-27963 — Medium (CVSS 4.8): Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists…
All CVEs affecting Audiobookshelf →
Other CWE-523 vulnerabilities
- CVE-2024-1509 — Critical (CVSS 9.1): Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response…
- CVE-2025-61121 — High (CVSS 7.5): Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd.,…
- CVE-2023-31277 — High (CVSS 7.5): PiiGAB M-Bus transmits credentials in plaintext format.
- CVE-2022-31805 — High (CVSS 7.5): In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication…
- CVE-2025-64309 — High (CVSS 7.4): The affected product discloses device telemetry, configuration, and sensitive information via WebSocket traffic to…
- CVE-2024-4188 — High (CVSS 7.1): Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential…