CVE-2025-63648 – A NULL pointer dereference vulnerability in own... (How to Fix)

Q: What is the severity of CVE-2025-63648?

CVE-2025-63648 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in owntone-server's DACP handling allows attackers to crash the service by sending a specially crafted request. This affects systems running vulnerable versions of owntone-server, potentially disrupting music streaming services.

📋 TL;DR

A NULL pointer dereference vulnerability in owntone-server's DACP handling allows attackers to crash the service by sending a specially crafted request. This affects systems running vulnerable versions of owntone-server, potentially disrupting music streaming services.

💻 Affected Systems

Products:

owntone-server

Versions: Versions before commit 5f526c7a7e08c567a5c72421d74a79dafdd07621

Operating Systems: Linux, macOS, FreeBSD

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations where DACP service is enabled (default).

📦 What is this software?

Owntone Server by Owntone

View all CVEs affecting Owntone Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage requiring manual restart, disrupting all music streaming functionality.

🟠

Likely Case

Service crash causing temporary interruption until automatic or manual restart.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the DACP service port (default 3689).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 5f526c7a7e08c567a5c72421d74a79dafdd07621 or later

Vendor Advisory: https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md

Restart Required: Yes

Instructions:

1. Update owntone-server to latest version
2. Pull latest changes from GitHub repository
3. Rebuild and restart the service

🔧 Temporary Workarounds

Block DACP Port

linux

Block access to DACP service port to prevent exploitation

sudo iptables -A INPUT -p tcp --dport 3689 -j DROP
sudo iptables -A INPUT -p udp --dport 3689 -j DROP

Disable DACP Service

all

Disable DACP functionality in configuration

Edit configuration to set 'disable-dacp = true'

🧯 If You Can't Patch

Implement network segmentation to restrict access to owntone-server
Deploy intrusion detection systems to monitor for DACP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running version before commit 5f526c7a7e08c567a5c72421d74a79dafdd07621

Check Version:

owntone --version or check git commit hash

Verify Fix Applied:

Verify current commit includes 5f526c7a7e08c567a5c72421d74a79dafdd07621 or later

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in logs
Unexpected service restarts
DACP request parsing errors

Network Indicators:

Multiple rapid DACP requests to port 3689
Malformed DACP packets

SIEM Query:

source="owntone.log" AND ("segmentation fault" OR "SIGSEGV" OR "null pointer")

📊 Metadata

CVE ID: CVE-2025-63648

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.05% exploit probability (14th percentile)

Published: January 20, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md Patch,Third Party Advisory
https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621 Patch
https://github.com/owntone/owntone-server/issues/1933 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63648, you might also want to check these: