CVE-2025-57155
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone_server | From 28.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a null pointer dereference in the daap_reply_groups function in the Owntone server. It happens when the 'group-type' parameter is missing from an HTTP request query. The code originally called strcmp on this parameter without checking if it was null, which could cause the server to crash. The fix adds a null check before calling strcmp, preventing the crash when handling DAAP requests without the 'group-type' parameter. [1]
How can this vulnerability impact me? :
This vulnerability allows remote attackers to cause a Denial of Service (DoS) by crashing the Owntone server when it processes specially crafted DAAP requests missing the 'group-type' parameter. This can disrupt service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or Denial of Service symptoms in the Owntone server when handling DAAP requests, especially those missing the "group-type" parameter. Since the issue arises from a null pointer dereference in the daap_reply_groups function when processing such requests, you can attempt to reproduce the issue by sending DAAP HTTP requests without the "group-type" parameter and observe if the server crashes. Specific commands to test this could include using curl to send crafted HTTP requests, for example: curl 'http://<server-ip>:<port>/daap?someparam=value' (omitting the "group-type" parameter). If the server crashes or restarts, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Owntone server to a version that includes the fix for this vulnerability, which adds a null check before calling strcmp on the "group-type" parameter. Applying the patch that modifies the condition to check if the parameter is non-null prevents the null pointer dereference and thus the Denial of Service. If updating is not immediately possible, consider implementing network-level protections to block malformed DAAP requests missing the "group-type" parameter or restrict access to the DAAP service until the patch can be applied. [1]