{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T21:38:02.586","vulnerabilities":[{"cve":{"id":"CVE-2026-25579","sourceIdentifier":"security-advisories@github.com","published":"2026-02-04T22:16:01.257","lastModified":"2026-02-18T19:01:54.600","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0."},{"lang":"es","value":"Navidrome es un servidor y streamer de colección de música basado en web de código abierto. Antes de la versión 0.60.0, los usuarios autenticados pueden bloquear el servidor de Navidrome al proporcionar un parámetro de tamaño excesivamente grande a /rest/getCoverArt o a una URL de imagen compartida (/share/img/). Al procesar dichas solicitudes, el servidor intenta crear una imagen redimensionada extremadamente grande, lo que provoca un crecimiento descontrolado de la memoria. Esto activa el OOM killer de Linux, termina el proceso de Navidrome y resulta en una interrupción completa del servicio. Si el sistema tiene suficiente memoria y sobrevive a la asignación, Navidrome escribe estas imágenes redimensionadas extremadamente grandes en su directorio de caché, permitiendo que un atacante agote rápidamente el espacio en disco del servidor también. Este problema ha sido parcheado en la versión 0.60.0."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-400"},{"lang":"en","value":"CWE-770"},{"lang":"en","value":"CWE-789"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*","versionEndExcluding":"0.60.0","matchCriteriaId":"505C09F4-61BF-49C6-A089-5E2E8577E01B"}]}]}],"references":[{"url":"https://github.com/navidrome/navidrome/releases/tag/v0.60.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}