Navidrome Denial-of-Service Vulnerability via Oversized Size Parameter in Cover Art Endpoints

A denial-of-service vulnerability has been identified in Navidrome, an open-source web-based music collection server and streamer, prior to version 0.60.0. The issue arises when authenticated users supply excessively large size parameters to the '/rest/getCoverArt' endpoint or to shared-image URLs. This unbounded input is processed by the server's image resizing function, leading to uncontrolled memory growth. The excessive memory allocation can trigger the Linux Out-of-Memory (OOM) killer, terminating the Navidrome process and causing a complete service outage. If the system has enough memory to handle the allocation, the server writes the oversized images into its cache directory, rapidly exhausting disk space and allowing for a second form of denial-of-service.

Impact

Exploiting this vulnerability causes the Navidrome process to be terminated by the OOM killer, leading to a full service outage. On systems with sufficient memory, the oversized images are cached, quickly filling up disk space and disrupting normal server operations.

Reproduction

To reproduce this vulnerability, authenticate to obtain access to the '/rest/getCoverArt' endpoint or a valid shared-image link. Send a request with a small size value, then replace it with a significantly larger number. The server will allocate excessive memory while processing the request, causing the Navidrome process to be terminated by the OOM killer. If the system does not run out of memory, the oversized image will be written to the cache directory, increasing disk usage.

Remediation

Users can update to Navidrome version 0.60.0, which includes a patch for this vulnerability by clamping the requested size to original dimensions.