Broken Access Control in LibreTime analytics endpoints (CVE-2025-60427)

Author: Beatriz Fresno Naumova (beafn28)

Date: 17/10/2025

Vendor: LibreTime

Product: LibreTime

Versions affected: 3.0.0-alpha.10 and possibly earlier

Component: Analytics module - Web UI and API endpoints handling analytics data

CWE: CWE-284 - Improper Access Control

Attack type: Remote

Impact: Information Disclosure

Description

LibreTime 3.0.0-alpha.10 (and possibly earlier) contains a broken access control issue in its analytics subsystem. An authenticated user assigned the DJ role can access analytics endpoints (via the web UI or direct API calls) that return station-wide metrics. The backend fails to enforce role-based permission checks on these analytics endpoints, allowing less-privileged users to retrieve sensitive station-level analytics that should be restricted to administrators or managers.

Impact

• Primary impact: Information disclosure (station-wide analytics and metrics exposed to unauthorized users).

• Consequences: Privacy exposure, operational reconnaissance, and enabling of subsequent targeted attacks or abuse (e.g., identifying high-value times, listener counts, station identifiers).

Attack Details

Attack Vector (AV): Network (N)

Attack Complexity (AC): Low (L)

Privileges Required (PR): Low (N)

User Interaction (UI): None (R)

Scope (S): Unchanged (U)

Confidentiality (C): High (L)

Integrity (I): None (L)

Availability (A): None (N)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1 Base Score: 6.5 (Medium)

Mitigation

• Enforce RBAC server-side: Add explicit role checks on analytics endpoints so only admin/manager roles can retrieve station-wide metrics.

• Least privilege for DJ role: Restrict DJ role capabilities to DJ-specific operations (playlists, uploads, limited stats only about their own shows if needed).

• Return appropriate status codes: Endpoints should return 403 Forbidden for unauthorized roles, not 200 with data.

• Automated tests: Add unit and integration tests asserting that DJ accounts cannot access admin/analytics endpoints (expect 403).

• Audit logging: Log attempts to access analytics endpoints (user, role, timestamp) for monitoring and forensics.

• Documentation: Clearly document role capabilities and endpoint permissions to reduce regressions.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

• CVE: https://www.cve.org/CVERecord?id=CVE-2025-60427

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-60427

• Public advisory: https://beafn28.gitbook.io/beafn28/cve/broken-access-control-in-libretime-analytics-endpoints-cve-2025-60427

• LibreTime: https://libretime.org