CVE-2025-63648
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone_server | From 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a NULL pointer dereference in the owntone-server's function dacp_reply_playqueueedit_move. It occurs when the server processes a specially crafted DACP request to the playqueue-edit endpoint with a 'move' command and an 'edit-params' parameter that lacks a colon character. The code attempts to find a colon in the parameter using strchr, but if the colon is missing, strchr returns NULL. The code then incorrectly uses this NULL pointer plus one as an argument to a function that converts strings to integers, bypassing NULL checks and causing a segmentation fault. This leads to a crash of the server process (Denial of Service). [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) by crashing the owntone-server when it receives a crafted DACP request with malformed parameters. An attacker can exploit this by sending such requests, causing the server process to crash and become unavailable, disrupting service. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in the owntone-server process when it receives malformed DACP requests. Specifically, you can test by sending crafted HTTP GET requests to the server matching the pattern: GET /ctrl-int/1/playqueue-edit?command=move&edit-params=abc HTTP/1.1 followed by two CRLF sequences. To detect attempts or exploitations on your network, you can use network monitoring tools like tcpdump or Wireshark to filter for HTTP GET requests to paths matching /ctrl-int/*/playqueue-edit with query parameters command=move and edit-params lacking a colon. Example tcpdump command: tcpdump -i <interface> -A 'tcp port 3689 and (((tcp[((tcp[12] & 0xf0) >> 2):4]) = 0x47455420))' | grep '/ctrl-int/' and 'command=move' and 'edit-params=' (replace <interface> with your network interface). Additionally, checking server logs for crashes or segmentation faults related to dacp_reply_playqueueedit_move function can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating owntone-server to a version that includes the patch fixing this vulnerability, which adds proper NULL checks before parsing the edit-params parameter. If updating is not immediately possible, consider implementing network-level filtering to block or restrict malformed DACP requests matching the pattern /ctrl-int/*/playqueue-edit with command=move and edit-params lacking a colon. Monitoring and alerting on server crashes or segmentation faults can also help in early detection. Applying the patch described in the commit (https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621) is the recommended fix. [2]