Description
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
Published: 2026-02-04
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Memory & Disk exhaustion)
Action: Immediate Patch
AI Analysis

Impact

Navidrome, an open‑source music server, allows any authenticated user to supply an oversized size parameter to the /rest/getCoverArt and /share/img token endpoints. The implementation blindly attempts to resize the requested image, which can trigger uncontrolled memory allocation. On systems with limited RAM the Linux OOM killer terminates the Navidrome process, causing a full service outage; on larger systems the request succeeds but results in an extraordinarily large image written to the cache directory, rapidly exhausting disk space. The exploit requires no elevated privileges beyond a valid application credential.

Affected Systems

The flaw is present in all Navidrome releases prior to version 0.60.0, regardless of operating system or deployment environment. Any installation that permits authenticated API access is vulnerable. Only the 0.60.0 release and newer contain the patch that limits size handling and removes the uncontrolled allocation path.

Risk and Exploitability

The CVSS base score of 9.2 identifies this as a high‑severity vulnerability, yet the EPSS score is less than 1 %, indicating that exploitation is currently rare. The issue is not listed in the CISA KEV catalog. Attackers can achieve denial of service by crafting a single request with an excessively large size parameter, making the attack trivial for users who already possess credentials. Once triggered, the server becomes unavailable until the process is restarted and the disk cache is purged.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Navidrome to version 0.60.0 or later to apply the vendor patch that limits size parsing and eliminates uncontrolled allocation.
  • If an upgrade cannot be performed immediately, configure your reverse proxy or load balancer to reject requests containing a size parameter above a reasonable threshold or to throttle repeated large requests.
  • As a temporary containment measure, clear the Navidrome cache directory and set a disk quota on that directory to prevent further space exhaustion, then monitor for signs of memory pressure.

Generated by OpenCVE AI on April 17, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hrr4-3wgr-68x3 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
History

Wed, 18 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Navidrome
Navidrome navidrome
Vendors & Products Navidrome
Navidrome navidrome

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
Title Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
Weaknesses CWE-400
CWE-770
CWE-789
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Navidrome Navidrome
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:31:33.790Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25579

cve-icon Vulnrichment

Updated: 2026-02-05T14:24:50.049Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:01.257

Modified: 2026-02-18T19:01:54.600

Link: CVE-2026-25579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses