anonhaven
Ad

CVE-2026-25579

CRITICAL CVSS 4.0: 9.2 EPSS 0.05%
Updated Feb 05, 2026
Navidrome
Parameter Value
CVSS 9.2 (CRITICAL)
Fixed In 0.60.0
Type CWE-400 (Uncontrolled Resource Consumption (Неконтролируемое потребление ресурсов)), CWE-789, CWE-770 (Allocation Without Limits (Выделение ресурсов без ограничений))
Vendor Navidrome
Public PoC No

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth.

This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
None
Нет модификации данных
Availability
High
Полный отказ в обслуживании

CVSS Vector v4.0

Weakness Type (CWE)

CWE-400 Uncontrolled Resource Consumption (Неконтролируемое потребление ресурсов)
CWE-789
CWE-770 Allocation Without Limits (Выделение ресурсов без ограничений)

References 2

https://github.com/navidrome/navidrome/releases/tag/v0.60.0
security-advisories@github.com
https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3
security-advisories@github.com
Share Post Share Share Share