Cyber Posture

CVE-2025-63648

High

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63648 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

NULL pointer dereference in public-facing owntone-server directly enables remote unauthenticated application exploitation resulting in crash/DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.

Deeper analysisAI

CVE-2025-63648 is a NULL pointer dereference vulnerability in the dacp_reply_playqueueedit_move function located in src/httpd_dacp.c of owntone-server at commit b7e385f. This flaw affects the owntone-server software, an open-source media server, and was published on 2026-01-20. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-476 (NULL Pointer Dereference).

Remote attackers without authentication can exploit this vulnerability by sending a specially crafted DACP request to the owntone-server instance. Successful exploitation triggers the NULL pointer dereference, resulting in a Denial of Service (DoS) condition that crashes the server and disrupts service availability. The attack requires low complexity, no user interaction, and network access to the affected service.

Mitigation is available through a patch in owntone-server commit 5f526c7a7e08c567a5c72421d74a79dafdd07621. Security practitioners should review the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and the related GitHub issue at https://github.com/owntone/owntone-server/issues/1933 for additional details on upgrading or applying the fix.

Details

CWE(s)
CWE-476

Affected Products

owntone
owntone server
≤ 29.0

CVEs Like This One

CVE-2025-57156Same product: Owntone Owntone Server
CVE-2025-63647Same product: Owntone Owntone Server
CVE-2025-57155Same product: Owntone Owntone Server
CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476
CVE-2026-31256Shared CWE-476
CVE-2025-69649Shared CWE-476
CVE-2026-27141Shared CWE-476
CVE-2026-25795Shared CWE-476

References