Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
Description
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can crash Navidrome or exhaust disk space by sending a large size parameter to cover art endpoints, fixed in v0.60.0.
Overview
CVE-2026-25579 is a denial-of-service vulnerability in Navidrome, an open-source music collection server and streamer. The /rest/getCoverArt and /share/img/ endpoints accept a size parameter that specifies the requested image dimensions. Prior to version 0.60.0, the server performs no upper-bound validation on this parameter. When a very large integer is supplied, the image resizing routine attempts to allocate enough memory to generate an image of that size, leading to uncontrolled memory growth [1][3].
Exploitation
The attack requires an authenticated user account for the /rest/getCoverArt endpoint, or possession of a valid sharing token for the /share/img/ URL [3]. By simply modifying the size parameter in a normal request—replacing a typical value like 300 with an extremely large number such as 300000—the attacker triggers the excessive allocation [3]. No special privileges or network position are needed beyond those credentials.
Impact
On systems running Navidrome, the rapid memory consumption causes the Linux kernel's Out-Of-Memory (OOM) killer to terminate the Navidrome process, resulting in a full service outage [1][3]. If the server has enough RAM to survive the allocation, the oversized image is saved to Navidrome's cache directory, which can quickly fill the disk to capacity. This dual impact—memory exhaustion leading to process termination and disk space exhaustion—makes the vulnerability effective for both immediate and longer-term disruption.
Mitigation
The issue has been patched in Navidrome version 0.60.0 [1][2]. Users should upgrade to this release immediately. No workaround is available for unpatched versions, as the vulnerable endpoints are integral to the application's functionality. The fix likely enforces a maximum allowable size value before passing the parameter to the image processing library.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/navidrome/navidromeGo | < 0.60.0 | 0.60.0 |
Affected products
2- navidrome/navidromev5Range: < 0.60.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hrr4-3wgr-68x3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25579ghsaADVISORY
- github.com/navidrome/navidrome/releases/tag/v0.60.0ghsax_refsource_MISCWEB
- github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.