CVE-2026-25579

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/navidrome/navidrome/releases/tag/v0.60.0	Product Release Notes
https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-04 22:16

Updated : 2026-02-18 19:01

NVD link : CVE-2026-25579

Mitre link : CVE-2026-25579

CVE.ORG link : CVE-2026-25579

JSON object : View

Products Affected

navidrome

navidrome

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-789

Memory Allocation with Excessive Size Value

{"id": "CVE-2026-25579", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-04T22:16:01.257", "references": [{"url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-789"}]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0."}, {"lang": "es", "value": "Navidrome es un servidor y streamer de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. Antes de la versi\u00f3n 0.60.0, los usuarios autenticados pueden bloquear el servidor de Navidrome al proporcionar un par\u00e1metro de tama\u00f1o excesivamente grande a /rest/getCoverArt o a una URL de imagen compartida (/share/img/). Al procesar dichas solicitudes, el servidor intenta crear una imagen redimensionada extremadamente grande, lo que provoca un crecimiento descontrolado de la memoria. Esto activa el OOM killer de Linux, termina el proceso de Navidrome y resulta en una interrupci\u00f3n completa del servicio. Si el sistema tiene suficiente memoria y sobrevive a la asignaci\u00f3n, Navidrome escribe estas im\u00e1genes redimensionadas extremadamente grandes en su directorio de cach\u00e9, permitiendo que un atacante agote r\u00e1pidamente el espacio en disco del servidor tambi\u00e9n. Este problema ha sido parcheado en la versi\u00f3n 0.60.0."}], "lastModified": "2026-02-18T19:01:54.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "505C09F4-61BF-49C6-A089-5E2E8577E01B", "versionEndExcluding": "0.60.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}