CVE-2025-44560
Buffer Overflow in owntone-server 2ca10d9 Due to Recursive Check Flaw
Publication date: 2026-04-10
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone-server | 2ca10d9 |
| forked-daapd | forked-daapd | 2ca10d9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44560 is a stack buffer overflow vulnerability found in owntone-server version 2ca10d9. It arises due to a lack of proper recursive checking in the server's parsing logic, specifically when handling the expression parameter in HTTP requests.
An attacker can exploit this by crafting a specially nested expression, such as a time_add function with multiple nested calls, which triggers infinite recursion. This causes a stack overflow that can lead to application crashes or potentially arbitrary code execution.
How can this vulnerability impact me? :
The vulnerability can cause the owntone-server application to crash or enter a denial of service (DoS) state due to stack overflow triggered by infinite recursion.
In some cases, this stack buffer overflow could potentially allow an attacker to execute arbitrary code, which may lead to further compromise of the system running the vulnerable software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the owntone-server version 2ca10d9 with specially crafted HTTP requests that include the expression parameter containing nested time_add function calls to trigger the recursive parsing logic.
A proof-of-concept test case (poc.txt) exists that demonstrates the exploit, which can be used to verify if the server is vulnerable.
Detection can involve sending HTTP requests with deeply nested expressions to the server and monitoring for crashes or abnormal behavior indicating a stack overflow.
Specific commands are not detailed in the provided resources, but fuzzing tools or curl commands sending crafted HTTP requests with nested expression parameters could be used.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly detailed in the provided resources.
General best practices would include updating owntone-server to a version where this vulnerability is fixed once available.
In the meantime, restricting or filtering HTTP requests that contain suspicious or deeply nested expression parameters may help reduce the risk of exploitation.
Monitoring the server for crashes or denial of service symptoms can also help in early detection and response.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how CVE-2025-44560 affects compliance with common standards and regulations such as GDPR or HIPAA.