CVE-2025-63647

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-63647

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63647.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-63647

Published

2026-01-20T21:16:04.220Z

Modified

2026-03-15T22:51:40.714773Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A NULL pointer dereference in the parsemeta function (src/httpddaap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

References

Affected packages

Git / github.com/owntone/owntone-server

Affected ranges

Type

GIT

Repo

https://github.com/owntone/owntone-server

Events

Introduced

Fixed

a95b226fdb04654291b3328395ec9f7f52d54f53

Fixed

53ee9a3c3921e5448f502800c4dfa787865f6cb7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "28.3"
        }
    ]
}

Affected versions

0.*

0.10

0.11

0.12

0.19

20.*

20.0

21.*

21.0

22.*

22.0

22.1

22.2

22.3

23.*

23.0

23.1

23.2

23.3

23.4

24.*

24.0

24.1

24.2

25.*

25.0

26.*

26.0

26.1

26.2

26.3

26.4

26.5

27.*

27.0

27.1

27.2

27.3

27.4

28.*

28.0

28.1

28.2

Other

fork_cleanedup

mt-daapd_svn1696

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c",
            "function": "parse_meta"
        },
        "id": "CVE-2025-63647-16e741e5",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "261843272233544401934489147918627895260",
            "length": 1144.0
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_dacp.c"
        },
        "id": "CVE-2025-63647-883e78ce",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "line_hashes": [
                "190946926299923221521453250114199072126",
                "134877992974223637607847934625719954269",
                "149872434799879126695758137326071624603",
                "322698878702872763578928309581338452981",
                "296660057967436549313911482554719000773",
                "147515481865273730694298369110126844494",
                "98539959312524237915499436738062288984",
                "1439337854983515774534689815170233506",
                "112581508201343998601084165776577285833",
                "239050686764331704749406798300947858546",
                "328718722497547703608360630167866262067"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c",
            "function": "daap_reply_groups"
        },
        "id": "CVE-2025-63647-adf843e1",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "87163810884881937296073128355850878308",
            "length": 4221.0
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c",
            "function": "daap_reply_playlists"
        },
        "id": "CVE-2025-63647-cc123cbc",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "288118153228541590484947300865892120498",
            "length": 4206.0
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c",
            "function": "daap_reply_songlist_generic"
        },
        "id": "CVE-2025-63647-cd1fcec2",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "67559614200880432617957462941414024919",
            "length": 3887.0
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c",
            "function": "daap_session_free"
        },
        "id": "CVE-2025-63647-f0e1a30d",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "263433122505803408150982663446616654491",
            "length": 88.0
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_daap.c"
        },
        "id": "CVE-2025-63647-f12b3769",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "line_hashes": [
                "258285239057430312257326477569344013161",
                "261950080785829124972941630055086160487",
                "68089000612623496967646888621392935838",
                "44362787547988687197993208725705105884",
                "158397527638593747268659503424679505127",
                "234980457146544880890865032790600999898",
                "210120537044147885691664891339392105481",
                "292492905465267454151737612724427887405",
                "280486828624852616156778499621092682380",
                "228673125842590335159842438410397838538",
                "49807311213965087224344065012709954551",
                "48482437393139703693371519746765077102",
                "62534491612219671490406506806748350593",
                "138630783112178388404070215934206601235",
                "193714031468061061406617456961415277941",
                "299274634125881609594822906901975125502",
                "132539644764195015592315032937428854617",
                "174663061703884599372045233391975426340",
                "11555079486112815350562018139828983988",
                "34257882930226616101983153007315589415",
                "31353717933996322886123824593250538446",
                "21271335941778981460605994779864151998",
                "208890030098014325952336781817163291160",
                "179297393479255811900113063427958649828",
                "52069523705454125640517567925362089814",
                "66907630029237898130022448398776176624",
                "333074141710635353878506192750459148821",
                "193158550669034608647805368907974049179",
                "297059475421850759510737622961085547826",
                "171391994903194177250611804604242940074",
                "34719609344178829366864905889387213944",
                "306901821255332985628533080495577651258",
                "250615303195781107561322106670704362012",
                "328457033308848315487199226632951650629",
                "259248223432601490132588019185390682918",
                "340255320359687359013330945585087191867",
                "139547377657727835501478172475216815527",
                "214969793502057626991746770383181915769",
                "135188553311474909687341648252650217840",
                "240065787396729442745125970288621253822",
                "139206988670498866679626039130926206993",
                "335452707034172192743396914698237548099",
                "333309824110830442145517101672003195281",
                "189336266743490374633496157664110814101",
                "3817051702481091677027333618089471422",
                "195397294076558958436808834981926433942",
                "282498541536355858654826860625327304577",
                "125633605962364828704269643141157709229",
                "287060428726822235811642923080626335574",
                "64006277052424082710107372190914558266",
                "260518870125903952614023249827239891253",
                "319581622303060756985407022009660243725",
                "278568042547292274143812817013068757535",
                "259248223432601490132588019185390682918",
                "55107051129751936841373291999343330484",
                "136488748789039047958430597422317383718",
                "230495407158806212845826723713713472993",
                "131557570718817043768665843943201291364",
                "235468943264645612607991779412102593947",
                "8923379875630290331663055391052364309",
                "102110050193778734086631377231301944076",
                "334076571278545317757828231966579099907",
                "147502473992126173225978973691068320833",
                "237780855329646775794153776278606176266",
                "263265135406124468651354984358592529277",
                "202608627323449169703147523763702892155",
                "162204553687476447082852980755459654056",
                "291912370330177498259288507317481190275",
                "119620339328917298641440486260130707171",
                "117484519222838233542471719633672994170",
                "47544686934763291430778977307595689321",
                "30667266725747102064391173270389011722",
                "259248223432601490132588019185390682918",
                "340255320359687359013330945585087191867",
                "139547377657727835501478172475216815527",
                "214969793502057626991746770383181915769",
                "131557570718817043768665843943201291364",
                "152398381670623089800254567015948340455",
                "333612519628599304014873437800702016835",
                "216867532741285736999178431121093549469",
                "333309824110830442145517101672003195281",
                "212648904631697942814822655160103575290",
                "284488755827791590215495480582863113299",
                "177928861611304533575568316544069592664",
                "282498541536355858654826860625327304577",
                "331794894978391532267491375582404883360",
                "267595810029781202401108389346133167010"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "src/httpd_dacp.c",
            "function": "dacp_reply_mutetoggle"
        },
        "id": "CVE-2025-63647-feefa819",
        "deprecated": false,
        "source": "https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7",
        "digest": {
            "function_hash": "781252434238978932746871881873652908",
            "length": 395.0
        }
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63647.json"