CVE-2025-63648
Published: 20 January 2026
Summary
CVE-2025-63648 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-63648 is a NULL pointer dereference vulnerability in the dacp_reply_playqueueedit_move function located in src/httpd_dacp.c of owntone-server at commit b7e385f. This flaw affects the owntone-server software, an open-source media server, and was published on 2026-01-20. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).
Remote attackers without authentication can exploit this vulnerability by sending a specially crafted DACP request to the owntone-server instance. Successful exploitation triggers the NULL pointer dereference, resulting in a Denial of Service (DoS) condition that crashes the server and disrupts service availability. The attack requires low complexity, no user interaction, and network access to the affected service.
Mitigation is available through a patch in owntone-server commit 5f526c7a7e08c567a5c72421d74a79dafdd07621. Security practitioners should review the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and the related GitHub issue at https://github.com/owntone/owntone-server/issues/1933 for additional details on upgrading or applying the fix.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3333
Vulnerability details
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in public-facing owntone-server directly enables remote unauthenticated application exploitation resulting in crash/DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely flaw remediation, directly addressing the NULL pointer dereference via patching as provided in owntone-server commit 5f526c7.
Requires robust error handling to avoid crashes from NULL pointer dereferences when processing crafted DACP requests.
Enforces input validation on DACP requests to reject malformed data that triggers the NULL pointer dereference in dacp_reply_playqueueedit_move.