Denial of Service Vulnerability in Owntone Server by Owntone
CVE-2025-63648

7.5HIGH

Key Information:

Vendor: Owntone
Status: owntone-server
Vendor: CVE Published:; 20 January 2026

What is CVE-2025-63648?

A vulnerability found in the owntone-server's DACP request handling allows attackers to exploit a NULL pointer dereference in the dacp_reply_playqueueedit_move function. By crafting specific DACP requests, an attacker can trigger a Denial of Service condition, leading to service interruptions. Users are advised to review the vulnerability details and apply appropriate mitigations to safeguard their servers.

References

https://github.com/owntone/owntone-server/issues/1933

https://github.com/owntone/owntone-server/commit/5f526c7a...

https://github.com/archersec/security-advisories/blob/mas...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Oct 27, 2025

CVE-2025-63648 Data

JSON