Login Sign Up

CVE-2025-63647

7.5 HIGH
Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in owntone-server's parse_meta function allows attackers to crash the server by sending a specially crafted DAAP request, causing denial of service. This affects all systems running vulnerable versions of owntone-server with DAAP service enabled.

💻 Affected Systems

Products:
  • owntone-server
Versions: Versions before commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with DAAP service enabled (default in most configurations).

📦 What is this software?

Owntone Server by Owntone

View all CVEs affecting Owntone Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of owntone-server, disrupting media streaming services until manual restart.

🟠

Likely Case

Service crash requiring manual intervention to restore functionality.

🟢

If Mitigated

Minimal impact if server is behind proper network controls and not exposed to untrusted networks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires network access to DAAP port (default 3689).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7 or later

Vendor Advisory: https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7

Restart Required: Yes

Instructions:

1. Update to latest owntone-server version from GitHub. 2. Rebuild from source if using source installation. 3. Restart the owntone-server service.

🔧 Temporary Workarounds

Disable DAAP Service

linux

Temporarily disable the DAAP protocol to prevent exploitation.

Edit owntone configuration to set 'disable-daap = true' and restart service

Network Access Control

linux

Restrict access to DAAP port (3689) using firewall rules.

sudo iptables -A INPUT -p tcp --dport 3689 -j DROP
sudo iptables -A INPUT -p udp --dport 3689 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate owntone-server from untrusted networks.
  • Deploy intrusion detection/prevention systems to monitor for DAAP protocol anomalies.

🔍 How to Verify

Check if Vulnerable:

Check if running version before commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7 and DAAP service is enabled.

Check Version:

owntone --version or check git commit hash in installation directory

Verify Fix Applied:

Verify current version includes commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7 and test DAAP service functionality.

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in system logs
  • Unexpected owntone-server crashes
  • DAAP request parsing errors

Network Indicators:

  • Unusual traffic patterns to port 3689
  • Malformed DAAP protocol packets

SIEM Query:

source="owntone.log" AND ("segmentation fault" OR "crash" OR "parse_meta")

📊 Metadata

CVE ID: CVE-2025-63647
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.05% exploit probability (15.2th percentile)
Published: January 20, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63647, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)