Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
AnalysisAI
Buffer overflow in owntone-server commit 2ca10d9 allows unauthenticated remote attackers to achieve code execution or denial of service with critical CVSS 9.8 severity. The vulnerability stems from inadequate recursive input validation (CWE-120), enabling network-accessible exploitation without user interaction. No public exploit identified at time of analysis, though proof-of-concept details exist in GitHub issue #1873. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability despite maximum theoretical severity.
Technical ContextAI
Owntone-server (formerly forked-daapd) is a media server supporting streaming protocols like DAAPD, AirPlay, and Chromecast. This buffer overflow (CWE-120) originates from insufficient bounds checking during recursive processing of user-controlled input, likely in parsing network protocol messages or media metadata. The specific commit 2ca10d9 introduced or exposed the vulnerability through logic that fails to validate data size or depth during recursive operations, allowing attackers to write beyond allocated buffer boundaries. Network attack vector (AV:N) with low complexity (AC:L) indicates the flaw exists in a remotely accessible service component without requiring special conditions or race timing. The unchanged scope (S:U) suggests exploitation occurs within the vulnerable component's security context, typically the media server process privileges.
RemediationAI
Update owntone-server to the latest stable release from the official GitHub repository at https://github.com/owntone/owntone-server, ensuring the installation includes fixes applied after commit 2ca10d9 that address recursive input validation. Monitor GitHub issue #1873 at https://github.com/owntone/owntone-server/issues/1873 for patch commit references and maintainer guidance on specific fixed versions. No vendor-released patch version number is independently confirmed from available data; users must track upstream repository commits for remediation. As interim mitigation, restrict network exposure by binding owntone-server only to trusted LAN interfaces, implementing firewall rules to block external access on service ports (typically TCP 3689 for DAAP), and deploying network segmentation to isolate media server traffic from untrusted networks. Consider disabling recursive protocol features if configuration options exist until patched builds are verified and deployed.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209405