CVE-2025-44560
Received Received - Intake
Buffer Overflow in owntone-server 2ca10d9 Due to Recursive Check Flaw

Publication date: 2026-04-10

Last updated on: 2026-04-14

Assigner: MITRE

Description
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-44560
EUVD
EUVD-2025-209405
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
owntone owntone-server 2ca10d9
forked-daapd forked-daapd 2ca10d9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

There is no information provided in the available context or resources about how CVE-2025-44560 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-44560 is a stack buffer overflow vulnerability found in owntone-server version 2ca10d9. It arises due to a lack of proper recursive checking in the server's parsing logic, specifically when handling the expression parameter in HTTP requests.

An attacker can exploit this by crafting a specially nested expression, such as a time_add function with multiple nested calls, which triggers infinite recursion. This causes a stack overflow that can lead to application crashes or potentially arbitrary code execution.

Impact Analysis

The vulnerability can cause the owntone-server application to crash or enter a denial of service (DoS) state due to stack overflow triggered by infinite recursion.

In some cases, this stack buffer overflow could potentially allow an attacker to execute arbitrary code, which may lead to further compromise of the system running the vulnerable software.

Detection Guidance

This vulnerability can be detected by testing the owntone-server version 2ca10d9 with specially crafted HTTP requests that include the expression parameter containing nested time_add function calls to trigger the recursive parsing logic.

A proof-of-concept test case (poc.txt) exists that demonstrates the exploit, which can be used to verify if the server is vulnerable.

Detection can involve sending HTTP requests with deeply nested expressions to the server and monitoring for crashes or abnormal behavior indicating a stack overflow.

Specific commands are not detailed in the provided resources, but fuzzing tools or curl commands sending crafted HTTP requests with nested expression parameters could be used.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

General best practices would include updating owntone-server to a version where this vulnerability is fixed once available.

In the meantime, restricting or filtering HTTP requests that contain suspicious or deeply nested expression parameters may help reduce the risk of exploitation.

Monitoring the server for crashes or denial of service symptoms can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-44560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart