CVE-2025-63648
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-02-13

Assigner: MITRE

Description
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63648
EUVD
EUVD-2026-3333
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
owntone owntone_server From 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a NULL pointer dereference in the owntone-server's function dacp_reply_playqueueedit_move. It occurs when the server processes a specially crafted DACP request to the playqueue-edit endpoint with a 'move' command and an 'edit-params' parameter that lacks a colon character. The code attempts to find a colon in the parameter using strchr, but if the colon is missing, strchr returns NULL. The code then incorrectly uses this NULL pointer plus one as an argument to a function that converts strings to integers, bypassing NULL checks and causing a segmentation fault. This leads to a crash of the server process (Denial of Service). [1, 2]

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the owntone-server when it receives a crafted DACP request with malformed parameters. An attacker can exploit this by sending such requests, causing the server process to crash and become unavailable, disrupting service. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in the owntone-server process when it receives malformed DACP requests. Specifically, you can test by sending crafted HTTP GET requests to the server matching the pattern: GET /ctrl-int/1/playqueue-edit?command=move&edit-params=abc HTTP/1.1 followed by two CRLF sequences. To detect attempts or exploitations on your network, you can use network monitoring tools like tcpdump or Wireshark to filter for HTTP GET requests to paths matching /ctrl-int/*/playqueue-edit with query parameters command=move and edit-params lacking a colon. Example tcpdump command: tcpdump -i <interface> -A 'tcp port 3689 and (((tcp[((tcp[12] & 0xf0) >> 2):4]) = 0x47455420))' | grep '/ctrl-int/' and 'command=move' and 'edit-params=' (replace <interface> with your network interface). Additionally, checking server logs for crashes or segmentation faults related to dacp_reply_playqueueedit_move function can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating owntone-server to a version that includes the patch fixing this vulnerability, which adds proper NULL checks before parsing the edit-params parameter. If updating is not immediately possible, consider implementing network-level filtering to block or restrict malformed DACP requests matching the pattern /ctrl-int/*/playqueue-edit with command=move and edit-params lacking a colon. Monitoring and alerting on server crashes or segmentation faults can also help in early detection. Applying the patch described in the commit (https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621) is the recommended fix. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart