Cyber Resilience

CVE-2025-63647

High

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0013 31.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63647 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-63647 is a NULL pointer dereference vulnerability in the parse_meta function located in src/httpd_daap.c of owntone-server at commit 334beb. This flaw affects the owntone-server media server software and was published on 2026-01-20. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).

The vulnerability can be exploited by remote attackers with network access to the server, requiring no authentication, privileges, or user interaction. By sending a crafted DAAP request to the server, attackers can trigger the NULL pointer dereference, resulting in a Denial of Service (DoS) that crashes the server and disrupts availability.

Mitigation is addressed in the owntone-server commit 53ee9a3c3921e5448f502800c4dfa787865f6cb7, which security practitioners should apply to vulnerable installations. An advisory detailing the issue is available at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md, and a proof-of-concept exploit is provided at https://github.com/archersec/poc/tree/master/owntone-server.

EU & UK References

Vulnerability details

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in DAAP request handler directly enables remote application crash via crafted input, matching T1499.004 (Application or System Exploitation) for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-57155Same product: Owntone Owntone Server
CVE-2025-57156Same product: Owntone Owntone Server
CVE-2025-63648Same product: Owntone Owntone Server
CVE-2026-40413Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2026-25795Shared CWE-476
CVE-2026-33282Shared CWE-476

Affected Assets

owntone
owntone server
≤ 28.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference by applying the vendor fix in commit 53ee9a3, preventing DoS crashes from crafted DAAP requests.

prevent

Ensures the parse_meta function handles NULL pointers and parsing errors without compromising system availability, avoiding server crashes.

prevent

Validates incoming DAAP requests to block malformed inputs that trigger the NULL pointer dereference in parse_meta.

References