Plataforma
go
Componente
github.com/navidrome/navidrome
Corrigido em
0.60.1
0.60.0
CVE-2026-25579 is a critical Denial of Service (DoS) vulnerability affecting Navidrome, a self-hosted media server. An attacker can trigger disk exhaustion and potentially crash the service by exploiting oversized size parameters within the /rest/getCoverArt and /share/img/<token> endpoints. This vulnerability impacts versions prior to 0.60.0 and has been addressed in the 0.60.0 release.
The primary impact of CVE-2026-25579 is a Denial of Service. A malicious actor can repeatedly send requests with excessively large size parameters, overwhelming the server's disk space and potentially leading to service unavailability. This could disrupt media streaming for legitimate users and potentially allow an attacker to exhaust system resources, hindering other processes. The blast radius extends to all users relying on the affected Navidrome instance, as the service becomes unresponsive under attack. While direct data exfiltration isn't the primary concern, prolonged DoS could indirectly impact data integrity if critical backups are missed due to service downtime.
CVE-2026-25579 was published on 2026-02-05. There is currently no indication of active exploitation in the wild. The EPSS score is pending evaluation. No public Proof-of-Concept (PoC) exploits have been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
The recommended mitigation for CVE-2026-25579 is to immediately upgrade Navidrome to version 0.60.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as rate limiting requests to the /rest/getCoverArt and /share/img/<token> endpoints using a reverse proxy or WAF. Configure the proxy to reject requests with unusually large size parameters (e.g., exceeding 1MB). Monitor disk space usage closely to detect potential exhaustion. After upgrading, confirm the fix by sending a request with a deliberately oversized size parameter to the affected endpoints and verifying that the server handles it gracefully without crashing or exhausting disk space.
Atualize Navidrome para a versão 0.60.0 ou superior. Esta versão corrige a vulnerabilidade que permite a negação de serviço e o esgotamento do espaço em disco. Você pode baixar a última versão do site oficial de Navidrome ou do repositório do GitHub.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-25579 is a critical Denial of Service vulnerability in Navidrome media server versions prior to 0.60.0. Attackers can exploit oversized size parameters to exhaust disk space and disrupt service availability.
You are affected if you are running Navidrome versions 0.59.0 or earlier. Upgrade to version 0.60.0 or later to mitigate the risk.
Upgrade Navidrome to version 0.60.0 or later. As a temporary workaround, implement rate limiting or input validation on the /rest/getCoverArt and /share/img/<token> endpoints.
As of now, there is no public evidence of active exploitation in the wild, but continuous monitoring is recommended.
Refer to the official Navidrome GitHub repository and release notes for the latest information and advisory regarding CVE-2026-25579: https://github.com/navidrome/navidrome
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.