Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
Vulnerability Description
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
CVSS Information
N/A
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
Navidrome 安全漏洞
Vulnerability Description
Navidrome是Navidrome开源的一个基于 Web 的开源音乐收集服务器和流媒体。用于自由地从任何浏览器或移动设备收听音乐收藏。 Navidrome 0.60.0之前版本存在安全漏洞,该漏洞源于处理过大的size参数时尝试创建超大图像,可能导致内存耗尽、服务中断和磁盘空间耗尽。
CVSS Information
N/A
Vulnerability Type
N/A