Music Player Daemon (MPD) versions prior to 0.24.11 contain a CRLF injection flaw within the XSPF playlist plugin. The bug originates in the xspf_char_data function, where Expat decodes numeric character references before passing character data to the callback. An attacker can supply a malicious XSPF playlist containing XML numeric character references that resolve to CR/LF bytes. These injected bytes are then written into URI fields and ultimately appear as forged key‑value pairs in MPD protocol responses such as playlistinfo, currentsong, and listplaylist, as well as in the state file generated by MPD. This loss of protocol integrity can lead to information disclosure or manipulation of client behavior.

All MusicPlayerDaemon MPD installations running a version earlier than 0.24.11 are affected. The patch is released in MPD 0.24.11, which removes the vulnerability by sanitizing input data in the XSPF playlist plugin.

The vulnerability scores a CVSS score of 6.9, reflecting moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. The likely attack vector requires the attacker to supply a crafted XSPF playlist to the MPD process; the exploit can be local if the attacker can influence playlist uploads or remote if the MPD server accepts playlists from untrusted network sources. Given the availability of a simple mitigated release and the potential for protocol disruption, the risk warrants timely remediation.