CVE-2025-63647
Published: 20 January 2026
Summary
CVE-2025-63647 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-63647 is a NULL pointer dereference vulnerability in the parse_meta function located in src/httpd_daap.c of owntone-server at commit 334beb. This flaw affects the owntone-server media server software and was published on 2026-01-20. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).
The vulnerability can be exploited by remote attackers with network access to the server, requiring no authentication, privileges, or user interaction. By sending a crafted DAAP request to the server, attackers can trigger the NULL pointer dereference, resulting in a Denial of Service (DoS) that crashes the server and disrupts availability.
Mitigation is addressed in the owntone-server commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7, which security practitioners should apply to vulnerable installations. An advisory detailing the issue is available at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md, and a proof-of-concept exploit is provided at https://github.com/archersec/poc/tree/master/owntone-server.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3335
Vulnerability details
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in DAAP request handler directly enables remote application crash via crafted input, matching T1499.004 (Application or System Exploitation) for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the NULL pointer dereference by applying the vendor fix in commit 53ee9a3, preventing DoS crashes from crafted DAAP requests.
Ensures the parse_meta function handles NULL pointers and parsing errors without compromising system availability, avoiding server crashes.
Validates incoming DAAP requests to block malformed inputs that trigger the NULL pointer dereference in parse_meta.