Cyber Resilience

CVE-2025-57155

High

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0025 48.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57155 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57155 is a NULL pointer dereference vulnerability in the daap_reply_groups function within src/httpd_daap.c of owntone-server, affecting the software through commit 5e6f19a, a newer commit after version 28.2. This issue, mapped to CWE-476, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact availability disruption without confidentiality or integrity effects.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation triggers a NULL pointer dereference, causing a denial of service through server crashes.

Advisories and patches provide mitigation guidance, including the security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and the fixing commit at https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028. Practitioners should consult these references for detailed remediation steps, such as applying the patch or upgrading to a fixed version.

EU & UK References

Vulnerability details

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference enables remote application crash for DoS via software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-57156Same product: Owntone Owntone Server
CVE-2025-63647Same product: Owntone Owntone Server
CVE-2025-63648Same product: Owntone Owntone Server
CVE-2026-40413Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2026-25795Shared CWE-476
CVE-2026-33282Shared CWE-476

Affected Assets

owntone
owntone server
≤ 28.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of software flaws such as the NULL pointer dereference in owntone-server, preventing exploitation via patching or upgrading.

prevent

Mandates secure error handling to prevent NULL pointer dereferences from causing server crashes and denial of service.

prevent

Provides protection against denial-of-service events like remote-triggered server crashes from this vulnerability.

References