VYPR
Get started
← All advisories
Medium severity6.5NVD Advisory· Published Apr 15, 2025· Updated Apr 15, 2026

CVE-2025-32439

CVE-2025-32439

Description

pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system's process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system's process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pleezercrates.io
< 0.16.00.16.0

Patches

2
f185cdbf848c
https://github.com/roderickvd/pleezervia osv
436a5f1e4c08

perf: make hook script execution non-blocking

https://github.com/roderickvd/pleezerRoderick van DomburgApr 13, 2025via ghsa
commit
3 files changed · +27 19
  • Cargo.toml+1 0 modified
    @@ -95,6 +95,7 @@ thiserror = "2"
 time = "0.3"
 tokio = { version = "1", features = [
     "macros",
+    "process",
     "signal",
     "rt-multi-thread",
     "time",
  • README.md+12 16 modified
    @@ -352,7 +352,9 @@ The proxy settings will be automatically detected and used for all Deezer Connec
 
 ### Hook Scripts
 
-You can use the `--hook` option to specify a script that will be executed when certain events occur. The script will receive information about these events through environment variables.
+You can use the `--hook` option to specify a script that will be executed whenever certain events occur (like starting a song or pausing playback). The script will receive information about these events through environment variables.
+
+**Important:** Keep your hook scripts quick and simple. If you need to perform time-consuming operations (like uploading data or processing files), make sure to run those in the background (for example, using `&` in shell scripts) to avoid affecting pleezer's performance.
 
 #### Event Types
 
@@ -422,30 +424,24 @@ Emitted when the controller disconnects
 #### Example
 Note: The script must properly escape received values to prevent command injection when using them in shell commands. In bash, `printf %q` provides safe escaping:
 
+#### Example
+When using event variables in shell commands, always use `printf %q` to safely escape the values:
+
 ```bash
 #!/bin/bash
 # example-hook.sh
-echo "Event: $EVENT"
 case "$EVENT" in
 "track_changed")
-    # Use printf %q to prevent command injection when using values in commands
-    echo "Track changed: $(printf %q "$TITLE") by $(printf %q "$ARTIST")"
-    echo "Input format: $(printf %q "$FORMAT")"
-    echo "Decoded as: $(printf %q "$DECODER")"
-    ;;
-"connected")
-    echo "Connected as: $(printf %q "$USER_NAME")"
+    # Safely print track info by escaping special characters
+    echo "Now playing: $(printf %q "$TITLE") by $(printf %q "$ARTIST")"
+
+    # Safely pass variables to background tasks
+    update_home_automation "$(printf %q "$TITLE")" "$(printf %q "$ARTIST")" &
     ;;
 esac
 ```
 
-Example output:
-```
-Event: track_changed
-Track changed: "Example Song" by "Example Artist"
-Input format: "MP3 320K"
-Decoded as: "PCM 16 bit 44.1 kHz, Stereo"
-```
+This prevents problems that could occur with special characters in titles or artist names.
 
 ### Stateless Configuration
  • src/remote.rs+14 3 modified
    @@ -117,14 +117,14 @@ use std::{
     fmt::Write,
     ops::ControlFlow,
     pin::Pin,
-    process::Command,
     time::Duration,
 };
 
 use futures_util::{SinkExt, StreamExt, stream::SplitSink};
 use log::Level;
 use semver;
 use time::OffsetDateTime;
+use tokio::process::Command;
 use tokio_tungstenite::{
     MaybeTlsStream, WebSocketStream,
     tungstenite::{
@@ -1005,8 +1005,19 @@ impl Client {
         }
 
         if let Some(command) = command.as_mut() {
-            if let Err(e) = command.spawn() {
-                error!("failed to spawn hook script: {e}");
+            match command.spawn() {
+                Ok(mut child) => match child.wait().await {
+                    Ok(status) => {
+                        if !status.success() {
+                            error!(
+                                "hook script exited with error {}",
+                                status.code().unwrap_or(-1)
+                            );
+                        }
+                    }
+                    Err(e) => error!("failed to wait for hook script: {e}"),
+                },
+                Err(e) => error!("failed to spawn hook script: {e}"),
             }
         }
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.