CVE-2025-57800
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-22

Last updated on: 2025-08-26

Assigner: GitHub, Inc.

Description
Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-22
Last Modified
2025-08-26
Generated
2026-05-27
AI Q&A
2025-08-22
EPSS Evaluated
2026-05-25
NVD
CVE-2025-57800
EUVD
EUVD-2025-28630
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
audiobookshelf audiobookshelf From 2.6.0 (inc) to 2.28.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
CWE-523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Audiobookshelf versions 2.6.0 through 2.26.3 involves improper restriction of redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes the application to store an arbitrary callback URL in a cookie. After authentication, the server redirects the user to this attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows the attacker to steal the victim's tokens and take over their account, including creating persistent admin users if the victim is an administrator.


How can this vulnerability impact me? :

The vulnerability can lead to full account takeover by an attacker, allowing them to access sensitive user information and perform administrative actions such as creating persistent admin users. Tokens are leaked through browser history, Referer headers, and server logs, increasing the risk of unauthorized access and control over the Audiobookshelf deployment.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Audiobookshelf to version 2.28.0 or later, as this version contains the fix for the vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart