Broken Access Control in LibreTime analytics endpoints (CVE-2025-60427)

Author: Beatriz Fresno Naumova (beafn28)

Date: 17/10/2025

Vendor: LibreTime

Product: LibreTime

Versions affected: 3.0.0-alpha.10 and possibly earlier

Component: Analytics module - Web UI and API endpoints handling analytics data

CWE: CWE-284 - Improper Access Control

Attack type: Remote (requires authenticated DJ account)

Impact: Information Disclosure

Description

LibreTime 3.0.0-alpha.10 (and possibly earlier) contains a broken access control issue in its analytics subsystem. An authenticated user assigned the DJ role can access analytics endpoints (via the web UI or direct API calls) that return station-wide metrics. The backend fails to enforce role-based permission checks on these analytics endpoints, allowing less-privileged users to retrieve sensitive station-level analytics that should be restricted to administrators or managers.

Impact

• Primary impact: Information disclosure (station-wide analytics and metrics exposed to unauthorized users).

• Consequences: Privacy exposure, operational reconnaissance, and enabling of subsequent targeted attacks or abuse (e.g., identifying high-value times, listener counts, station identifiers).

• Approximate severity: Medium.

• Estimated CVSS v3.1 (approximate): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Estimated Base Score: ~4.9–5.8 (Medium). Final scoring should be performed by the CNA/CISA/NVD.

Attack Details

• An authenticated account with the DJ role can call analytics API endpoints (or use the Web UI analytics views) and obtain station-wide metrics because the server does not verify that the requesting role is authorized to access those resources.

• This requires only a valid DJ account (no admin privileges), and can be performed remotely against a vulnerable instance.

• Example targets (illustrative — replace with exact endpoints observed): /api/analytics/overview, /api/metrics/station/*, or other analytics related endpoints under /api/.

Proof of Concept (POC) - Soon

Mitigation

• Enforce RBAC server-side: Add explicit role checks on analytics endpoints so only admin/manager roles can retrieve station-wide metrics.

• Least privilege for DJ role: Restrict DJ role capabilities to DJ-specific operations (playlists, uploads, limited stats only about their own shows if needed).

• Return appropriate status codes: Endpoints should return 403 Forbidden for unauthorized roles, not 200 with data.

• Automated tests: Add unit and integration tests asserting that DJ accounts cannot access admin/analytics endpoints (expect 403).

• Audit logging: Log attempts to access analytics endpoints (user, role, timestamp) for monitoring and forensics.

• Documentation: Clearly document role capabilities and endpoint permissions to reduce regressions.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

• CVE: https://www.cve.org/CVERecord?id=CVE-2025-60427

• NIST:

• Public advisory: https://beafn28.gitbook.io/beafn28/cve/broken-access-control-in-libretime-analytics-endpoints-cve-2025-60427

• LibreTime: https://libretime.org

• LibreTime repo: https://github.com/libretime/libretime

• Issue: https://github.com/libretime/libretime/issues/1251