CVE-2025-57155 – A NULL pointer dereference vulnerability in own... (How to Fix)

📋 TL;DR

A NULL pointer dereference vulnerability in owntone-server's DAAP service allows remote attackers to crash the service by sending specially crafted requests. This affects all systems running vulnerable versions of owntone-server with DAAP enabled, potentially disrupting media streaming services.

💻 Affected Systems

Products:

owntone-server

Versions: All versions through commit 5e6f19a (after version 28.2)

Operating Systems: Linux, BSD, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when DAAP service is enabled (default in many configurations).

📦 What is this software?

Owntone Server by Owntone

View all CVEs affecting Owntone Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing owntone-server to crash, disrupting all media streaming services until manual restart.

🟠

Likely Case

Service crash requiring restart, causing temporary interruption to media streaming capabilities.

🟢

If Mitigated

Minimal impact if service automatically restarts or if DAAP service is disabled.

🌐 Internet-Facing: HIGH if DAAP service is exposed to internet, as exploitation requires no authentication.

🏢 Internal Only: MEDIUM for internal networks, as attackers would need network access but no credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed DAAP requests to trigger NULL pointer dereference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit d857116e4143a500d6a1ea13f4baa057ba3b0028 and later

Vendor Advisory: https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md

Restart Required: Yes

Instructions:

1. Update owntone-server to latest version or apply commit d857116e4143a500d6a1ea13f4baa057ba3b0028
2. Restart the owntone-server service
3. Verify the service is running correctly

🔧 Temporary Workarounds

Disable DAAP Service

all

Disable the vulnerable DAAP protocol if not required

Edit owntone.conf and set 'daap_port = 0' or 'disable_daap = true'
Restart owntone: sudo systemctl restart owntone

Network Segmentation

linux

Restrict access to DAAP port (3689 by default)

sudo iptables -A INPUT -p tcp --dport 3689 -j DROP
sudo iptables -A INPUT -p udp --dport 3689 -j DROP

🧯 If You Can't Patch

Implement network controls to restrict access to DAAP port (3689)
Monitor service health and implement automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check owntone version: owntone --version or check if running commit before d857116e4143a500d6a1ea13f4baa057ba3b0028

Check Version:

owntone --version 2>/dev/null || grep 'version' /etc/owntone.conf

Verify Fix Applied:

Verify owntone is running commit d857116e4143a500d6a1ea13f4baa057ba3b0028 or later, and service remains stable during DAAP requests

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in owntone logs
Service crash/restart events
Unusual DAAP request patterns

Network Indicators:

Multiple connection attempts to port 3689
Malformed DAAP protocol packets

SIEM Query:

source="owntone.log" AND ("segmentation fault" OR "SIGSEGV" OR "daap_reply_groups")

📊 Metadata

CVE ID: CVE-2025-57155

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.14% exploit probability (34th percentile)

Published: January 20, 2026

Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57155, you might also want to check these: