{"vulnerability": "cve-2025-25205", "sightings": [{"uuid": "d14e8727-2c4a-4d29-8edb-bac6eec46dd7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113992291274845967", "content": "", "creation_timestamp": "2025-02-12T18:18:47.772047Z"}, {"uuid": "e96ef1a9-36f0-4c27-aa86-73b7a38e84e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lhyv4n35zi2a", "content": "", "creation_timestamp": "2025-02-12T19:15:54.465496Z"}, {"uuid": "e916a1b1-6bad-419b-9dc1-6a90a31999a2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://mastodon.social/users/CyberSignaler/statuses/113992880737800098", "content": "", "creation_timestamp": "2025-02-12T20:48:42.968088Z"}, {"uuid": "c926282f-9dfd-4d4f-bc89-cb172dc7bf25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lhz3i7ptjq2z", "content": "", "creation_timestamp": "2025-02-12T21:09:45.739893Z"}, {"uuid": "ec3ad490-d70b-4e99-8b65-b2a6b4207d93", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://t.me/cvedetector/17927", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-25205 - Audiobookshelf Regex Pattern Authentication Bypass\", \n  \"Content\": \"CVE ID : CVE-2025-25205 \nPublished : Feb. 12, 2025, 7:15 p.m. | 1\u00a0hour, 49\u00a0minutes ago \nDescription : Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings like \"/api/items/1/cover\" in a query parameter (?r=/api/items/1/cover) to partially bypass authentication or trigger server crashes under certain routes. This could lead to information disclosure of otherwise protected data and, in some cases, a complete denial of service (server crash) if downstream code expects an authenticated user object. Version 2.19.1 contains a patch for the issue. \nSeverity: 8.2 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"12 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-12T22:45:22.000000Z"}, {"uuid": "c95bffa6-32b2-4151-b803-b2f9c901924a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-25205", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/audiobookshelf_auth_bypass.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"\", \"author\": [\"swiftbird07\", \"Kenneth LaCroix\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module detects Audiobookshelf servers affected by CVE-2025-25205, an\\n          unauthenticated authentication bypass. Affected versions (2.17.0 through\\n          2.19.0) decide whether a GET request may skip authentication by testing an\\n          unanchored regular expression against the request's full original URL,\\n          including the query string, rather than the normalized path. By appending a\\n          query parameter whose value contains a whitelisted substring such as\\n          /api/items/1/cover, an unauthenticated client reaches protected API\\n          endpoints.\\n\\n          The module fingerprints the server and version through the unauthenticated\\n          /status endpoint, then sends two requests to the protected /api/libraries\\n          endpoint: a baseline request that must be rejected with HTTP 401, and a\\n          bypass request carrying the whitelisted substring in its query string. On a\\n          vulnerable server the bypass request is processed instead of rejected, which\\n          this module treats as confirmation. It deliberately avoids endpoints such as\\n          /api/users that crash the server process (the denial-of-service half of this\\n          CVE).\", \"disclosure_date\": \"2025-02-12\", \"fullname\": \"auxiliary/scanner/http/audiobookshelf_auth_bypass\", \"is_install_path\": true, \"mod_time\": \"2026-06-21 11:58:01 +0000\", \"name\": \"Audiobookshelf Unauthenticated API Authentication Bypass Scanner\", \"needs_cleanup\": false, \"notes\": {\"Reliability\": [], \"SideEffects\": [\"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/auxiliary/scanner/http/audiobookshelf_auth_bypass.rb\", \"platform\": \"\", \"post_auth\": false, \"rank\": 300, \"ref_name\": \"scanner/http/audiobookshelf_auth_bypass\", \"references\": [\"CVE-2025-25205\", \"GHSA-pg8v-5jcv-wrvw\", \"URL-https://github.com/advplyr/audiobookshelf/commit/ec6537656925a43871b07cfee12c9f383844d224\"], \"rport\": 13378, \"session_types\": false, \"targets\": null, \"type\": \"auxiliary\"}", "creation_timestamp": "2026-06-24T15:45:11.078576Z"}]}