平台
go
组件
github.com/navidrome/navidrome
修复版本
0.60.1
0.60.0
CVE-2026-25579 is a critical Denial of Service (DoS) vulnerability affecting Navidrome, a self-hosted media server. An attacker can trigger disk exhaustion and potentially crash the service by exploiting oversized size parameters within the /rest/getCoverArt and /share/img/<token> endpoints. This vulnerability impacts versions prior to 0.60.0 and has been addressed in the 0.60.0 release.
The primary impact of CVE-2026-25579 is a Denial of Service. A malicious actor can repeatedly send requests with excessively large size parameters, overwhelming the server's disk space and potentially leading to service unavailability. This could disrupt media streaming for legitimate users and potentially allow an attacker to exhaust system resources, hindering other processes. The blast radius extends to all users relying on the affected Navidrome instance, as the service becomes unresponsive under attack. While direct data exfiltration isn't the primary concern, prolonged DoS could indirectly impact data integrity if critical backups are missed due to service downtime.
CVE-2026-25579 was published on 2026-02-05. There is currently no indication of active exploitation in the wild. The EPSS score is pending evaluation. No public Proof-of-Concept (PoC) exploits have been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
The recommended mitigation for CVE-2026-25579 is to immediately upgrade Navidrome to version 0.60.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as rate limiting requests to the /rest/getCoverArt and /share/img/<token> endpoints using a reverse proxy or WAF. Configure the proxy to reject requests with unusually large size parameters (e.g., exceeding 1MB). Monitor disk space usage closely to detect potential exhaustion. After upgrading, confirm the fix by sending a request with a deliberately oversized size parameter to the affected endpoints and verifying that the server handles it gracefully without crashing or exhausting disk space.
升级 Navidrome 到 0.60.0 或更高版本。此版本修复了允许拒绝服务和磁盘耗尽的漏洞。您可以从 Navidrome 官方网站或 GitHub 仓库下载最新版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25579 is a critical Denial of Service vulnerability in Navidrome media server versions prior to 0.60.0. Attackers can exploit oversized size parameters to exhaust disk space and disrupt service availability.
You are affected if you are running Navidrome versions 0.59.0 or earlier. Upgrade to version 0.60.0 or later to mitigate the risk.
Upgrade Navidrome to version 0.60.0 or later. As a temporary workaround, implement rate limiting or input validation on the /rest/getCoverArt and /share/img/<token> endpoints.
As of now, there is no public evidence of active exploitation in the wild, but continuous monitoring is recommended.
Refer to the official Navidrome GitHub repository and release notes for the latest information and advisory regarding CVE-2026-25579: https://github.com/navidrome/navidrome
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。