CVE-2025-63647
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone_server | to 28.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a NULL pointer dereference in the parse_meta function of the owntone-server's DAAP implementation. It occurs when the server processes a crafted DAAP request that causes the function to dereference a NULL pointer, leading to a crash or Denial of Service (DoS). Essentially, improper handling of uninitialized or NULL pointers in the code allows attackers to disrupt the server's normal operation. [2]
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) on the owntone-server by crashing the server when it processes a specially crafted DAAP request. This means an attacker can make the server unavailable to legitimate users by exploiting this flaw. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or Denial of Service conditions in the owntone-server when it receives crafted DAAP requests. Since the issue is a NULL pointer dereference triggered by malformed DAAP requests, one detection method is to capture and analyze DAAP traffic for suspicious or malformed requests targeting the server. Specific commands are not provided in the resources, but network packet capture tools like tcpdump or Wireshark can be used to capture DAAP traffic (TCP port 3689 by default). Additionally, reviewing server logs for crashes or abnormal restarts may indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the owntone-server to the latest version that includes the fix from commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7, which addresses the NULL pointer dereference and related memory management issues. If updating is not immediately possible, consider restricting or filtering DAAP traffic to the server to prevent crafted requests from reaching it. Monitoring and limiting access to the DAAP service can reduce the risk of exploitation. [2]