Yunfachi

**Name of the Vulnerable Software and Affected Versions** Navidrome versions prior to 0.60.0 **Description** Navidrome is a web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can cause a denial of service by providing a large size parameter to the `/rest/getCoverArt` API endpoint or to a shared-image URL (`/share/img/<token>`). The server attempts to create an oversized resized image, leading to uncontrolled memory growth. This can trigger the Linux OOM killer, terminating the Navidrome process and causing a service outage. If the system has sufficient memory, the server may write these large images to its cache directory, potentially exhausting disk space. The `token` variable in the shared-image URL is relevant to the issue. **Recommendations** Update Navidrome to version 0.60.0 or later.