# Broken Access Control in LibreTime analytics endpoints (CVE-2025-60427) **Author:** Beatriz Fresno Naumova (beafn28) **Date:** 17/10/2025 **Vendor:** LibreTime **Product:** LibreTime **Versions affected:** 3.0.0-alpha.10 and possibly earlier **Component:** Analytics module - Web UI and API endpoints handling analytics data **CWE:** [CWE-284 - Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) **Attack type:** Remote **Impact:** Information Disclosure ### Description LibreTime 3.0.0-alpha.10 (and possibly earlier) contains a broken access control issue in its analytics subsystem. An authenticated user assigned the DJ role can access analytics endpoints (via the web UI or direct API calls) that return station-wide metrics. The backend fails to enforce role-based permission checks on these analytics endpoints, allowing less-privileged users to retrieve sensitive station-level analytics that should be restricted to administrators or managers. ### Impact * **Primary impact:** Information disclosure (station-wide analytics and metrics exposed to unauthorized users). * **Consequences:** Privacy exposure, operational reconnaissance, and enabling of subsequent targeted attacks or abuse (e.g., identifying high-value times, listener counts, station identifiers). ### Attack Details Attack Vector (AV): Network (N) Attack Complexity (AC): Low (L) Privileges Required (PR): Low (N) User Interaction (UI): None (R) Scope (S): Unchanged (U) Confidentiality (C): High (L) Integrity (I): None (L) Availability (A): None (N) ``` CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ``` **CVSS v3.1 Base Score: 6.5 (Medium)** ### Mitigation * Enforce RBAC server-side: Add explicit role checks on analytics endpoints so only admin/manager roles can retrieve station-wide metrics. * Least privilege for DJ role: Restrict DJ role capabilities to DJ-specific operations (playlists, uploads, limited stats only about their own shows if needed). * Return appropriate status codes: Endpoints should return 403 Forbidden for unauthorized roles, not 200 with data. * Automated tests: Add unit and integration tests asserting that DJ accounts cannot access admin/analytics endpoints (expect 403). * Audit logging: Log attempts to access analytics endpoints (user, role, timestamp) for monitoring and forensics. * Documentation: Clearly document role capabilities and endpoint permissions to reduce regressions. ### Discoverer Beatriz Fresno Naumova (beafn28) #### References * **CVE:** * **NIST:** * **Public advisory:** * **LibreTime:** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://beafn28.gitbook.io/beafn28/cve-and-poc/broken-access-control-in-libretime-analytics-endpoints-cve-2025-60427.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.