Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-25579

Good to know:

icon
icon

Date: February 4, 2026

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.

Severity Score

Related Resources (5)

https://github.com/navidrome/navidrome
https://github.com/navidrome/navidrome/releases/tag/v0.60.0
https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3
https://nvd.nist.gov/vuln/detail/CVE-2026-25579
https://www.mend.io/vulnerability-database/CVE-2026-25579

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Memory Allocation with Excessive Size Value

CWE-789

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

icon

Upgrade Version

Upgrade to version github.com/navidrome/navidrome - v0.60.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us