Plattform
go
Komponente
github.com/navidrome/navidrome
Behoben in
0.60.1
0.60.0
CVE-2026-25579 is a critical Denial of Service (DoS) vulnerability affecting Navidrome, a self-hosted media server. An attacker can trigger disk exhaustion and potentially crash the service by exploiting oversized size parameters within the /rest/getCoverArt and /share/img/<token> endpoints. This vulnerability impacts versions prior to 0.60.0 and has been addressed in the 0.60.0 release.
The primary impact of CVE-2026-25579 is a Denial of Service. A malicious actor can repeatedly send requests with excessively large size parameters, overwhelming the server's disk space and potentially leading to service unavailability. This could disrupt media streaming for legitimate users and potentially allow an attacker to exhaust system resources, hindering other processes. The blast radius extends to all users relying on the affected Navidrome instance, as the service becomes unresponsive under attack. While direct data exfiltration isn't the primary concern, prolonged DoS could indirectly impact data integrity if critical backups are missed due to service downtime.
CVE-2026-25579 was published on 2026-02-05. There is currently no indication of active exploitation in the wild. The EPSS score is pending evaluation. No public Proof-of-Concept (PoC) exploits have been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-25579 is to immediately upgrade Navidrome to version 0.60.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as rate limiting requests to the /rest/getCoverArt and /share/img/<token> endpoints using a reverse proxy or WAF. Configure the proxy to reject requests with unusually large size parameters (e.g., exceeding 1MB). Monitor disk space usage closely to detect potential exhaustion. After upgrading, confirm the fix by sending a request with a deliberately oversized size parameter to the affected endpoints and verifying that the server handles it gracefully without crashing or exhausting disk space.
Aktualisieren Sie Navidrome auf Version 0.60.0 oder höher. Diese Version behebt die Schwachstelle, die eine Denial-of-Service- und Festplattenerschöpfung ermöglicht. Sie können die neueste Version von der offiziellen Navidrome-Website oder vom GitHub-Repository herunterladen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25579 is a critical Denial of Service vulnerability in Navidrome media server versions prior to 0.60.0. Attackers can exploit oversized size parameters to exhaust disk space and disrupt service availability.
You are affected if you are running Navidrome versions 0.59.0 or earlier. Upgrade to version 0.60.0 or later to mitigate the risk.
Upgrade Navidrome to version 0.60.0 or later. As a temporary workaround, implement rate limiting or input validation on the /rest/getCoverArt and /share/img/<token> endpoints.
As of now, there is no public evidence of active exploitation in the wild, but continuous monitoring is recommended.
Refer to the official Navidrome GitHub repository and release notes for the latest information and advisory regarding CVE-2026-25579: https://github.com/navidrome/navidrome
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.