CVE-2026-25579: Navidrome DoS Vulnerability

CVE-2026-25579 Overview

Navidrome, an open source web-based music collection server and streamer, contains a critical resource exhaustion vulnerability in versions prior to 0.60.0. This vulnerability allows authenticated users to crash the Navidrome server by supplying an excessively large size parameter to the /rest/getCoverArt endpoint or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth that can trigger the Linux OOM (Out-of-Memory) killer, terminate the Navidrome process, and result in a full service outage.

Critical Impact

Authenticated attackers can cause complete denial of service through memory exhaustion, potentially triggering the Linux OOM killer. If the system survives the initial memory allocation, attackers can also rapidly exhaust server disk space through cached oversized images.

Affected Products

• Navidrome versions prior to 0.60.0
• Self-hosted Navidrome instances with cover art functionality enabled
• Navidrome deployments with shared-image URL feature active

Discovery Timeline

• 2026-02-04 - CVE-2026-25579 published to NVD
• 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-25579

Vulnerability Analysis

This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The core issue resides in the image processing functionality of Navidrome, specifically in how the application handles user-supplied size parameters for cover art image resizing operations.

When a user requests a cover art image via the /rest/getCoverArt endpoint or through a shared-image URL at /share/img/<token>, they can specify a size parameter. The vulnerability arises because Navidrome does not properly validate or limit this size parameter before attempting to allocate memory for the resized image. An authenticated attacker can supply an excessively large value, causing the server to attempt creating an image of enormous dimensions.

The attack has a dual impact: first, the immediate memory exhaustion can trigger the Linux OOM killer, which terminates the Navidrome process entirely, causing a complete service outage. Second, if the system has sufficient memory to survive the initial allocation, Navidrome writes these oversized images into its cache directory. This secondary effect enables an attacker to rapidly fill the server's disk space, creating a persistent denial of service condition even after system recovery.

Root Cause

The root cause is insufficient input validation on the size parameter accepted by the image resizing functionality. The application fails to enforce reasonable upper bounds on the dimensions of resized images, allowing arbitrary memory allocation based on user-controlled input. This lack of server-side validation enables attackers to request image processing operations that consume resources far beyond what would be expected in normal operation.

Attack Vector

The attack is network-based and requires authentication to the Navidrome instance. An attacker with valid credentials can craft malicious HTTP requests to either the /rest/getCoverArt endpoint or the shared-image URL endpoint, specifying an extremely large size parameter. The attack does not require any special privileges beyond basic authenticated access.

The vulnerability can be exploited through simple HTTP GET requests with manipulated query parameters. For the REST API endpoint, the attacker targets /rest/getCoverArt with an oversized dimension value. For shared images, the attack targets /share/img/<token> URLs that are typically used for sharing cover art with external users.

The exploitation mechanics involve sending repeated requests with extremely large size values to exhaust either memory (causing OOM termination) or disk space (through cache filling), or both simultaneously. Since the attack requires authentication, the threat is primarily from malicious insiders, compromised accounts, or in scenarios where user registration is open.

Detection Methods for CVE-2026-25579

Indicators of Compromise

• Unusually large HTTP requests to /rest/getCoverArt or /share/img/ endpoints with extreme size parameter values
• Sudden spikes in memory usage by the Navidrome process followed by process termination
• Rapid growth of the Navidrome cache directory containing oversized image files
• Linux kernel OOM killer logs showing Navidrome process termination
• Abnormal disk space consumption in the Navidrome installation directory

Detection Strategies

• Monitor Navidrome access logs for requests to /rest/getCoverArt and /share/img/ endpoints with unusually large size parameters (values exceeding typical display resolutions such as 4096x4096)
• Configure system monitoring to alert on rapid memory growth associated with the Navidrome process
• Implement log analysis to correlate Navidrome process crashes with preceding cover art requests
• Set up disk space monitoring alerts for the Navidrome cache directory

Monitoring Recommendations

• Enable verbose logging for Navidrome and centralize logs for analysis
• Configure resource usage monitoring (memory, disk) with automated alerting thresholds
• Monitor for repeated authentication attempts followed by resource-intensive operations
• Implement rate limiting monitoring on the affected endpoints to detect potential abuse patterns

How to Mitigate CVE-2026-25579

Immediate Actions Required

• Upgrade Navidrome to version 0.60.0 or later immediately
• Review Navidrome access logs for evidence of exploitation attempts
• Monitor system resources for unusual memory or disk space consumption
• Consider temporarily restricting access to the Navidrome instance until patching is complete
• Clear the Navidrome cache directory if abnormally large files are present

Patch Information

This vulnerability has been patched in Navidrome version 0.60.0. The fix implements proper validation and limits on the size parameter accepted by the cover art and shared-image endpoints, preventing the allocation of excessive memory for image resizing operations.

For detailed patch information, refer to the Navidrome Release v0.60.0 and the GitHub Security Advisory GHSA-hrr4-3wgr-68x3.

Workarounds

• Implement a reverse proxy (nginx, Apache) in front of Navidrome that validates and limits the size parameter on incoming requests to the affected endpoints
• Configure system-level resource limits (cgroups, ulimits) to constrain Navidrome's maximum memory usage
• Set up disk quotas for the Navidrome cache directory to prevent complete disk exhaustion
• Temporarily disable or restrict access to the cover art and shared-image functionality if upgrading is not immediately possible

# Example nginx configuration to limit size parameter
# Add to nginx server block handling Navidrome proxy
location ~ ^/rest/getCoverArt {
    # Reject requests with size parameter exceeding 2048
    if ($arg_size ~* "^[3-9][0-9]{3,}|[0-9]{5,}$") {
        return 403;
    }
    proxy_pass http://navidrome_backend;
}

location ~ ^/share/img/ {
    # Apply similar restrictions for shared images
    if ($arg_size ~* "^[3-9][0-9]{3,}|[0-9]{5,}$") {
        return 403;
    }
    proxy_pass http://navidrome_backend;
}