Cyber Posture

CVE-2025-63647

High

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63647 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

NULL pointer dereference in DAAP request handler directly enables remote application crash via crafted input, matching T1499.004 (Application or System Exploitation) for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

Deeper analysisAI

CVE-2025-63647 is a NULL pointer dereference vulnerability in the parse_meta function located in src/httpd_daap.c of owntone-server at commit 334beb. This flaw affects the owntone-server media server software and was published on 2026-01-20. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).

The vulnerability can be exploited by remote attackers with network access to the server, requiring no authentication, privileges, or user interaction. By sending a crafted DAAP request to the server, attackers can trigger the NULL pointer dereference, resulting in a Denial of Service (DoS) that crashes the server and disrupts availability.

Mitigation is addressed in the owntone-server commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7, which security practitioners should apply to vulnerable installations. An advisory detailing the issue is available at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md, and a proof-of-concept exploit is provided at https://github.com/archersec/poc/tree/master/owntone-server.

Details

CWE(s)
CWE-476

Affected Products

owntone
owntone server
≤ 28.3

CVEs Like This One

CVE-2025-63648Same product: Owntone Owntone Server
CVE-2025-57156Same product: Owntone Owntone Server
CVE-2025-57155Same product: Owntone Owntone Server
CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476
CVE-2026-31256Shared CWE-476
CVE-2025-69649Shared CWE-476
CVE-2026-27141Shared CWE-476
CVE-2026-25795Shared CWE-476

References