CVE-2026-25579

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.60.0

Description Navidrome is a web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can cause a denial of service by providing a large size parameter to the /rest/getCoverArt API endpoint or to a shared-image URL (/share/img/<token>). The server attempts to create an oversized resized image, leading to uncontrolled memory growth. This can trigger the Linux OOM killer, terminating the Navidrome process and causing a service outage. If the system has sufficient memory, the server may write these large images to its cache directory, potentially exhausting disk space. The token variable in the shared-image URL is relevant to the issue.

Recommendations Update Navidrome to version 0.60.0 or later.