CVE-2025-63648

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-63648

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63648.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-63648

Published

2026-01-20T21:16:04.333Z

Modified

2026-03-13T03:41:00.602991Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A NULL pointer dereference in the dacpreplyplayqueueeditmove function (src/httpddacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.

References

Affected packages

Git / github.com/owntone/owntone-server

Affected ranges

Type

GIT

Repo

https://github.com/owntone/owntone-server

Events

Introduced

Last affected

bd5746c83ea04fde10c5337d2c2bfd7fc75049af

Fixed

5f526c7a7e08c567a5c72421d74a79dafdd07621

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "29.0"
        }
    ]
}

Affected versions

0.*

0.10

0.11

0.12

0.19

20.*

20.0

21.*

21.0

22.*

22.0

22.1

22.2

22.3

23.*

23.0

23.1

23.2

23.3

23.4

24.*

24.0

24.1

24.2

25.*

25.0

26.*

26.0

26.1

26.2

26.3

26.4

26.5

27.*

27.0

27.1

27.2

27.3

27.4

28.*

28.0

28.1

28.10

28.11

28.12

28.2

28.3

28.4

28.5

28.6

28.7

28.8

28.9

29.*

29.0

Other

fork_cleanedup

mt-daapd_svn1696

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63648.json"

vanir_signatures

[
    {
        "id": "CVE-2025-63648-0373c107",
        "signature_type": "Function",
        "digest": {
            "function_hash": "176904113778350746798798520462269434957",
            "length": 1488.0
        },
        "target": {
            "file": "src/httpd_dacp.c",
            "function": "dacp_reply_setspeakers"
        },
        "source": "https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621",
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "id": "CVE-2025-63648-bf019021",
        "signature_type": "Function",
        "digest": {
            "function_hash": "279969910419396082512299073589280652449",
            "length": 2554.0
        },
        "target": {
            "file": "src/httpd_dacp.c",
            "function": "dacp_reply_playqueueedit_add"
        },
        "source": "https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621",
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "id": "CVE-2025-63648-caac5cc7",
        "signature_type": "Function",
        "digest": {
            "function_hash": "312256007238691163639005209529699725457",
            "length": 811.0
        },
        "target": {
            "file": "src/httpd_dacp.c",
            "function": "dacp_reply_playqueueedit_move"
        },
        "source": "https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621",
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "id": "CVE-2025-63648-dc04611f",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "5953320707228136552492135236980839488",
                "315358913851163571375961650439439459448",
                "220393227638357653263261618079219540560",
                "118213841743251457398608095003857611284",
                "90350015888154174267313576523508007282",
                "89794192395455708971863877583560006349",
                "320790009189606250424501801010131377392",
                "200446254261446968497001817790773730664",
                "242215669027716849465632720919604020844",
                "337234177744658406375457839580109469217",
                "288435275970987621462941736421333106759",
                "178634851231323509384888045455039394704",
                "191155742360509928952912174924478662218",
                "186676218330302962158936522128420177184",
                "267051103672255935461159778145848089699",
                "37218620836787022425213861788624166160",
                "159813459817949825578589038036283369762",
                "64619348439148983470397510355678234446",
                "192825944721924085927736496771125518344",
                "3108727230097806088515945878653980274",
                "283374478426816882634264307349914443488",
                "289846686738328559284082021818756019310",
                "50142823804202290671131108852939847082",
                "306438675708514639696033812314580730658",
                "246361624192288434179462480259533186034",
                "336930182548963166267322652169598998931",
                "218858571243779372204563279288363904384",
                "60048782259161044625103712957056307241",
                "15204926337511367888755812942955103091",
                "319181740761670015112105420592892669870",
                "21795699573772744483544221791864534222",
                "15274163120684406069626402409808148026",
                "171383573646186808036936420057255836213",
                "195955573325275987016795805730129925522",
                "50563828529640651874988618414125383682",
                "209591002925375675097146857794799794136",
                "291591937655839489810390317357345618222",
                "153531408921693918069317764534369171939",
                "117433793151402769999077056162598042888",
                "128530142472448539280749448395548062389",
                "212088009347782834441876356453993006721"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "src/httpd_dacp.c"
        },
        "source": "https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621",
        "signature_version": "v1",
        "deprecated": false
    }
]