Metasploit Adds Modules for Audiobookshelf, LiteLLM, Next.js, and Dalfox Vulnerabilities
Rapid7's latest Metasploit update adds four new modules targeting critical vulnerabilities in Audiobookshelf, LiteLLM, Next.js, and Dalfox, including a CISA KEV-listed SQL injection flaw.
Rapid7 has released a new weekly update for the Metasploit Framework, introducing four new modules that target recently disclosed vulnerabilities in widely used open-source tools. The modules cover an unauthenticated API authentication bypass in Audiobookshelf, a pre-authentication SQL injection in BerriAI's LiteLLM proxy, an authorization bypass in Next.js middleware, and a deserialization remote code execution flaw in Dalfox Server. The update also includes enhancements to the auth_brute mixin and socket handling improvements.
The first module addresses CVE-2025-25205, an unauthenticated API authentication bypass in Audiobookshelf, a self-hosted audiobook and podcast server. The vulnerability affects versions 2.17.0 through 2.19.0 and was fixed in version 2.19.1. The auxiliary scanner module, contributed by Kenneth LaCroix and swiftbird07, allows penetration testers to detect whether a target Audiobookshelf instance is vulnerable to this bypass.
A second module targets CVE-2026-42208, a pre-authentication SQL injection vulnerability in BerriAI's LiteLLM proxy. This flaw carries a CVSS score of 9.3 and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The module, contributed by Kenneth LaCroix and Tencent YunDing Security Lab, provides a scanner to detect vulnerable LiteLLM proxy instances before authentication is required.
The third module addresses CVE-2025-29927, an authorization bypass vulnerability in Next.js middleware with a CVSS score of 9.1. This flaw affects self-hosted Next.js applications and could allow attackers to bypass middleware-based authorization checks. The scanner module was contributed by Kenneth LaCroix, Rachid Allam, and Yasser Allam.
Finally, the update includes an exploit module for CVE-2026-45087, a deserialization remote code execution vulnerability in Dalfox Server versions 2.12.0 and earlier. The flaw allows unauthenticated attackers to send arbitrary commands via the 'found-action' POST parameter, which gets deserialized and executed in the context of the server user. The exploit was contributed by Emmanuel David and Takahiro Yokoyama.
In addition to the new modules, the update includes two enhancements. The first improves the auth_brute mixin by adding report_host and report_service calls, and removing duplicate IP:PORT printing in brute-force statements. The second updates the rex-socket library's recvfrom method to align with Ruby's standard library implementation, allowing rex-socket to serve as a drop-in replacement for Ruby's UDPSocket.
This weekly release continues Rapid7's commitment to providing penetration testers with up-to-date tools for assessing the security of modern software stacks. The inclusion of a CISA KEV-listed vulnerability underscores the importance of timely detection capabilities for flaws actively exploited by threat actors. Users can update to the latest Metasploit Framework using the msfupdate command or by cloning the GitHub repository.