CVE-2026-25579
Memory Exhaustion in Navidrome Server via Large Image Resize Requests
Publication date: 2026-02-04
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| navidrome | navidrome | to 0.60.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Navidrome, an open source web-based music collection server and streamer. Before version 0.60.0, authenticated users could crash the Navidrome server by sending a request with an excessively large size parameter to the /rest/getCoverArt endpoint or to a shared-image URL (/share/img/<token>).
When processing these requests, the server tries to create a very large resized image, which causes uncontrolled memory growth. This triggers the Linux Out-Of-Memory (OOM) killer to terminate the Navidrome process, resulting in a full service outage.
Additionally, if the system has enough memory to survive the allocation, Navidrome writes these extremely large images into its cache directory, which can quickly exhaust the server's disk space.
This issue was fixed in Navidrome version 0.60.0.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) on the Navidrome server by crashing the application process through excessive memory consumption.
It can also lead to rapid exhaustion of server disk space by filling the cache directory with extremely large resized images.
As a result, legitimate users may experience full service outages and degraded performance, impacting availability and reliability of the music streaming service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Navidrome to version 0.60.0 or later, where the issue has been patched.
Until the upgrade can be performed, consider restricting or monitoring requests to the /rest/getCoverArt endpoint and shared-image URLs (/share/img/<token>) to prevent excessively large size parameters from being processed.
Additionally, monitor server memory usage and disk space to detect abnormal growth that could indicate exploitation attempts.