git: 89fc4a4bd611 - main - security/vuxml: Add multimedia/navidrome CVE-2025-27112

The branch main has been updated by kbowling:

URL: https://cgit.FreeBSD.org/ports/commit/?id=89fc4a4bd611be526bb7411e5191e383095cf4b7

commit 89fc4a4bd611be526bb7411e5191e383095cf4b7
Author:     Kevin Bowling <kbowling@FreeBSD.org>
AuthorDate: 2025-04-22 02:56:39 +0000
Commit:     Kevin Bowling <kbowling@FreeBSD.org>
CommitDate: 2025-04-22 02:56:39 +0000

    security/vuxml: Add multimedia/navidrome CVE-2025-27112
---
 security/vuxml/vuln/2025.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 585c8d682e4a..db00fbdbffcc 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,34 @@
+  <vuln vid="5ca2cafa-1f24-11f0-ab07-f8f21e52f724">
+    <topic>Navidrome -- Authentication bypass in Subsonic API</topic>
+    <affects>
+      <package>
+	<name>navidrome</name>
+	<range><lt>0.54.5</lt></range>
+	<range><gt>0.52.0</gt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Deluan reports:</p>
+	<blockquote cite="https://github.com/navidrome/navidrome/security/advisories/GHSA-c3p4-vm8f-386p">
+	  <p>In certain Subsonic API endpoints, authentication can be
+	bypassed by using a non-existent username combined with an
+	empty (salted) password hash. This allows read-only access to
+	the server’s resources, though attempts at write operations
+	fail with a “permission denied” error.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-27112</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-27112</url>
+    </references>
+    <dates>
+      <discovery>2025-02-25</discovery>
+      <entry>2025-04-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="06269ae8-1e0d-11f0-ad0b-b42e991fc52e">
     <topic>Erlang -- Erlang/OTP SSH Vulnerable to Pre-Authentication RCE</topic>
     <affects>