CVE-2026-25579
Unknown Unknown - Not Provided
Memory Exhaustion in Navidrome Server via Large Image Resize Requests

Publication date: 2026-02-04

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25579
EUVD
EUVD-2026-5324
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
navidrome navidrome to 0.60.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Navidrome, an open source web-based music collection server and streamer. Before version 0.60.0, authenticated users could crash the Navidrome server by sending a request with an excessively large size parameter to the /rest/getCoverArt endpoint or to a shared-image URL (/share/img/<token>).

When processing these requests, the server tries to create a very large resized image, which causes uncontrolled memory growth. This triggers the Linux Out-Of-Memory (OOM) killer to terminate the Navidrome process, resulting in a full service outage.

Additionally, if the system has enough memory to survive the allocation, Navidrome writes these extremely large images into its cache directory, which can quickly exhaust the server's disk space.

This issue was fixed in Navidrome version 0.60.0.

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the Navidrome server by crashing the application process through excessive memory consumption.

It can also lead to rapid exhaustion of server disk space by filling the cache directory with extremely large resized images.

As a result, legitimate users may experience full service outages and degraded performance, impacting availability and reliability of the music streaming service.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Navidrome to version 0.60.0 or later, where the issue has been patched.

Until the upgrade can be performed, consider restricting or monitoring requests to the /rest/getCoverArt endpoint and shared-image URLs (/share/img/<token>) to prevent excessively large size parameters from being processed.

Additionally, monitor server memory usage and disk space to detect abnormal growth that could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25579. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart