Description
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
EPSS Score:
0%
EUVD-2026-5324 Technical Analysis Report
Executive Summary
EUVD-2026-5324 (CVE-2026-25579) represents a critical resource exhaustion vulnerability in Navidrome, an open-source music streaming server. The vulnerability enables both authenticated and unauthenticated attackers to trigger denial-of-service conditions through uncontrolled memory allocation and disk space exhaustion. With a CVSS 4.0 base score of 9.2 (Critical), this vulnerability poses significant operational risks to affected deployments.
1. Vulnerability Assessment and Severity Evaluation
Technical Classification
- Vulnerability Type: Resource Exhaustion / Uncontrolled Resource Consumption (CWE-400)
- Attack Complexity: Low
- Authentication Required: None (contradicts initial description stating "authenticated users")
- User Interaction: None required
- Scope: System-level impact
Severity Analysis
CVSS 4.0 Score: 9.2 (Critical)
The CVSS vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H indicates:
- Attack Vector (AV:N): Network-accessible, remotely exploitable
- Attack Complexity (AC:L): Low complexity, no special conditions required
- Attack Requirements (AT:N): No additional attack requirements
- Privileges Required (PR:N): No authentication needed (critical concern)
- User Interaction (UI:N): Fully automated exploitation possible
- Vulnerable System Availability (VA:H): High impact - complete service disruption
- Subsequent System Availability (SA:H): High impact on system resources
Critical Severity Justification:
- No authentication barrier despite description mentioning authenticated users
- Dual-vector attack: Memory exhaustion AND disk space exhaustion
- Complete service disruption via OOM killer termination
- Persistent impact through cache pollution
- Trivial exploitation requiring only parameter manipulation
2. Attack Vectors and Exploitation Methods
Primary Attack Vectors
Vector 1: Authenticated Endpoint Exploitation
GET /rest/getCoverArt?id=<valid_id>&size=999999999
- Targets the REST API cover art endpoint
- Requires valid session/authentication
- Exploits image resizing functionality
Vector 2: Unauthenticated Share Link Exploitation
GET /share/img/<valid_token>?size=999999999
- Targets publicly shared image URLs
- No authentication required (higher risk)
- Exploitable if any shared content exists
Exploitation Methodology
Phase 1: Memory Exhaustion Attack
- Attacker identifies accessible Navidrome instance
- Obtains valid share token or authenticates
- Sends request with excessively large
sizeparameter (e.g., 2147483647) - Server attempts to allocate memory for massive image buffer
- Uncontrolled memory growth triggers Linux OOM killer
- Navidrome process terminated → immediate service outage
Phase 2: Disk Space Exhaustion Attack
- If system survives initial memory allocation
- Server writes enormous resized image to cache directory
- Attacker repeats requests with different parameters
- Cache directory rapidly fills available disk space
- Persistent denial of service even after process restart
Attack Characteristics
- Amplification Factor: Single HTTP request → gigabytes of resource consumption
- Repeatability: Fully automatable, scriptable attack
- Detection Difficulty: Appears as legitimate API usage initially
- Recovery Complexity: Requires manual intervention, cache cleanup, process restart
3. Affected Systems and Software Versions
Vulnerable Software
- Product: Navidrome
- Vendor: Navidrome Project
- Affected Versions: All versions < 0.60.0
- Fixed Version: 0.60.0 and later
Deployment Scenarios at Risk
High-Risk Deployments:
- Public-facing instances with shared content enabled
- Multi-tenant environments where users can authenticate
- Resource-constrained systems (VPS, containers with memory limits)
- Unmonitored deployments without resource alerting
Infrastructure Considerations:
- Containerized deployments: OOM killer may terminate entire container
- Shared hosting: May impact co-located services
- Cloud instances: Could trigger auto-scaling costs or instance termination
- Home servers: Particularly vulnerable due to limited resources
European Context
Given Navidrome's popularity in European self-hosting communities and GDPR-compliant personal media server deployments, exposure is significant across:
- Personal/home server deployments
- Small business media libraries
- Educational institutions
- Community radio stations
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
1. Upgrade to Patched Version
# Recommended immediate action
# Upgrade to Navidrome v0.60.0 or later
docker pull deluan/navidrome:0.60.0
# or update via package manager
2. Implement Request Parameter Validation If immediate upgrade impossible, implement reverse proxy filtering:
# Nginx example - reject excessive size parameters
location /rest/getCoverArt {
if ($arg_size ~ "^[0-9]{5,}$") {
return 400 "Size parameter too large";
}
proxy_pass http://navidrome;
}
location /share/img/ {
if ($arg_size ~ "^[0-9]{5,}$") {
return 400 "Size parameter too large";
}
proxy_pass http://navidrome;
}
3. Resource Limits (Defense in Depth)
# Docker Compose example
services:
navidrome:
image: deluan/navidrome:0.60.0
mem_limit: 512m
memswap_limit: 512m
pids_limit: 100
ulimits:
nofile: 1024
Secondary Mitigations (Priority 2)
4. Network-Level Controls
- Implement rate limiting on vulnerable endpoints
- Deploy Web Application Firewall (WAF) with parameter validation
- Restrict access to trusted networks if possible
5. Monitoring and Detection
# Monitor for exploitation attempts
tail -f /var/log/navidrome.log | grep -E "size=[0-9]{6,}"
# Alert on memory spikes
# Configure monitoring for:
# - Sudden memory consumption increases
# - OOM killer events in system logs
# - Rapid cache directory growth
6. Filesystem Protections
# Limit cache directory size (Linux)
# Create separate partition or use quota
setquota -u navidrome 10G 12G 0 0 /cache-partition
Long-Term Security Posture
7. Security Hardening Checklist
- Disable public sharing if not required
- Implement authentication for all endpoints
- Regular security update schedule
- Automated vulnerability scanning
- Incident response procedures documented
- Backup and recovery procedures tested
8. Configuration Best Practices
# Navidrome configuration recommendations
[Server]
# Disable sharing if not needed
EnableSharing = false
# Implement strict session management
SessionTimeout = "24h"
# Enable audit logging
AuditLog = true
5. Impact on European Cybersecurity Landscape
Regulatory Considerations
GDPR Implications (Regulation EU 2016/679)
- Article 32 (Security of Processing): Vulnerability represents failure to ensure appropriate security measures
- Availability Impact: Service disruption may constitute data processing failure
- Notification Requirements: If personal data processing is disrupted, assessment needed for breach notification obligations
NIS2 Directive Relevance
- For entities covered under NIS2, this represents a significant availability risk