CVE-2025-63648 Overview
A NULL pointer dereference vulnerability exists in the dacp_reply_playqueueedit_move function within src/httpd_dacp.c of owntone-server commit b7e385f. This vulnerability allows remote attackers to cause a Denial of Service (DoS) condition by sending specially crafted DACP (Digital Audio Control Protocol) requests to the server, resulting in a segmentation fault and server crash.
Critical Impact
Remote attackers can crash owntone-server instances without authentication by exploiting improper NULL pointer handling in DACP request processing, disrupting media streaming services.
Affected Products
- owntone-server (commit b7e385f and prior versions)
- Systems running vulnerable owntone-server instances with DACP enabled
- Network-accessible media server deployments
Discovery Timeline
- 2026-01-20 - CVE CVE-2025-63648 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-63648
Vulnerability Analysis
This vulnerability stems from a NULL pointer dereference (CWE-476) in the DACP request handling code of owntone-server. The dacp_reply_playqueueedit_move function fails to properly validate query parameters before dereferencing them, allowing attackers to trigger a segmentation fault by sending malformed DACP requests with missing or invalid query components.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit. When a crafted DACP request reaches the vulnerable function, the server attempts to dereference a NULL pointer, causing an immediate crash. This makes it particularly dangerous for publicly accessible or shared network media server deployments.
Root Cause
The root cause is insufficient input validation in the DACP query parsing logic. The dacp_reply_playqueueedit_move function processes incoming query parameters without verifying that required pointer values are non-NULL before use. When an attacker sends a request with missing or malformed query parameters, the code path leads to a NULL pointer dereference, resulting in a segmentation fault.
Attack Vector
The attack vector is network-based, requiring the attacker to send specially crafted DACP requests to the owntone-server's HTTP interface. DACP is Apple's protocol for controlling iTunes/music playback, and owntone-server implements this protocol to provide remote control functionality. An attacker with network access to the server can craft requests that omit required parameters or include invalid query strings, triggering the vulnerability without any authentication.
const char *querymodifier;
const char *sort;
const char *param;
+ const char *ptr;
char modifiedquery[32];
int mode;
int plid;
Source: GitHub Commit Details
The patch introduces an additional pointer variable (ptr) to properly handle query validation and prevent the NULL pointer dereference condition.
Detection Methods for CVE-2025-63648
Indicators of Compromise
- Unexpected owntone-server process crashes or restarts
- Segmentation fault entries in system logs associated with owntone-server
- Unusual DACP request patterns in HTTP access logs targeting playqueue edit endpoints
- Service availability interruptions without apparent resource exhaustion
Detection Strategies
- Monitor owntone-server process stability and implement automatic restart detection alerting
- Analyze HTTP access logs for malformed or unusual DACP requests to /ctrl-int/ endpoints
- Deploy network-based intrusion detection rules to identify anomalous DACP traffic patterns
- Implement application-level logging to capture request details before crash events
Monitoring Recommendations
- Configure crash dump collection for owntone-server processes to enable post-incident analysis
- Set up service health monitoring with alerts for repeated process restarts
- Review firewall logs for scanning activity targeting owntone-server ports
- Monitor system logs for segfault signals (SIGSEGV) associated with the httpd_dacp module
How to Mitigate CVE-2025-63648
Immediate Actions Required
- Update owntone-server to a version containing commit 5f526c7a7e08c567a5c72421d74a79dafdd07621 or later
- Restrict network access to owntone-server to trusted networks and clients only
- Implement firewall rules to limit DACP protocol access to authorized devices
- Consider temporarily disabling DACP functionality if not required for operations
Patch Information
The vulnerability has been addressed in commit 5f526c7a7e08c567a5c72421d74a79dafdd07621. Users should update their owntone-server installation from the official repository to obtain the fix. The patch adds proper pointer validation to prevent the NULL pointer dereference condition. For detailed information, refer to the GitHub Issue Discussion and the GitHub Security Advisory.
Workarounds
- Configure firewall rules to restrict DACP port access to trusted IP addresses only
- Deploy owntone-server behind a reverse proxy with request validation capabilities
- Implement network segmentation to isolate media server infrastructure from untrusted networks
- Use host-based intrusion prevention to detect and block malicious request patterns
# Configuration example - Restrict access to owntone-server using iptables
# Allow DACP access only from trusted network (adjust port and IP range as needed)
iptables -A INPUT -p tcp --dport 3689 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3689 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
