CVE-2026-25579
📋 TL;DR
This vulnerability allows authenticated users to crash Navidrome servers by sending requests with excessively large size parameters to image endpoints. Attackers can trigger uncontrolled memory growth leading to service termination via Linux OOM killer, and potentially exhaust disk space by filling cache directories with oversized images. All Navidrome installations prior to version 0.60.0 are affected.
💻 Affected Systems
- Navidrome
📦 What is this software?
Navidrome by Navidrome
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with server termination, potential disk space exhaustion requiring manual cleanup, and possible data corruption if system crashes during operations.
Likely Case
Service disruption through server crashes, requiring manual restart and cleanup of oversized cached images.
If Mitigated
Minimal impact with proper input validation and resource limits in place, though authenticated users could still cause temporary service interruptions.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial - simply sending large size parameters to specified endpoints. Shared image endpoints may be exploitable without authentication if tokens are known or guessable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.60.0
Vendor Advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3
Restart Required: Yes
Instructions:
1. Backup your Navidrome configuration and database. 2. Stop the Navidrome service. 3. Update to version 0.60.0 or later using your package manager or by downloading from GitHub releases. 4. Restart the Navidrome service. 5. Verify the service is running correctly.
🔧 Temporary Workarounds
Implement request size limits
allConfigure reverse proxy or web server to limit request parameters and body sizes
# For nginx: client_max_body_size 10M;
# For Apache: LimitRequestBody 10485760
Restrict image endpoint access
linuxUse firewall rules or authentication to restrict access to /rest/getCoverArt and /share/img/ endpoints
# Example iptables rule: iptables -A INPUT -p tcp --dport [NAVIDROME_PORT] -m string --string "/rest/getCoverArt" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for suspicious requests to image endpoints
- Set up monitoring for memory usage spikes and disk space consumption on Navidrome servers
🔍 How to Verify
Check if Vulnerable:
Check Navidrome version - if below 0.60.0, you are vulnerable. Test by sending a request to /rest/getCoverArt with size=9999999 parameter (use caution as this may crash service).Check Version:
Check Navidrome web interface settings page or run: navidrome --versionVerify Fix Applied:
After updating to 0.60.0+, attempt to send oversized size parameters - server should reject with error instead of attempting to process.📡 Detection & Monitoring
Log Indicators:
- Memory allocation errors
- OOM killer messages in system logs
- Unusually large image processing requests
- Rapid disk space consumption in cache directory
Network Indicators:
- Multiple requests to /rest/getCoverArt or /share/img/ with large size parameters
- Sudden service unavailability after image requests
SIEM Query:
source="navidrome.log" AND ("getCoverArt" OR "share/img") AND size>10000