CVE-2025-63648 is a denial of service vulnerability identified in the owntone-server software, specifically within the dacp_reply_playqueueedit_move function located in the src/httpd_dacp.c source file. The vulnerability arises from a NULL pointer dereference triggered when the server processes a maliciously crafted Digital Audio Control Protocol (DACP) request. DACP is used for remote control of audio playback, and owntone-server implements this protocol to allow clients to manage media playback queues. When the vulnerable function receives a malformed request, it attempts to dereference a NULL pointer, causing the server process to crash and resulting in a denial of service. This vulnerability does not require authentication or user interaction, making it easier for remote attackers to exploit. Although no specific affected versions are listed, the vulnerability is tied to a particular commit (b7e385f) in the owntone-server codebase. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The lack of a CVSS score necessitates an independent severity assessment based on the impact on availability and ease of exploitation.

The primary impact of CVE-2025-63648 is the disruption of availability of owntone-server instances, which can lead to denial of service conditions for users relying on the server for media streaming and management. For European organizations that utilize owntone-server in their digital media infrastructure—such as broadcasters, media companies, or enterprises with internal streaming services—this could result in service outages, loss of productivity, and potential reputational damage. The vulnerability could be exploited remotely without authentication, increasing the risk of widespread attacks if the server is exposed to untrusted networks. Additionally, denial of service attacks could be used as a diversion for other malicious activities. The lack of known exploits currently limits immediate risk, but the vulnerability's presence in open-source software with potentially broad deployment means the threat could escalate rapidly once exploit code is developed.

To mitigate CVE-2025-63648, organizations should first monitor the owntone-server project for official patches or updates addressing this vulnerability and apply them promptly once available. In the absence of a patch, network-level controls should be implemented to restrict access to the DACP service port, allowing only trusted clients and internal networks to communicate with the server. Deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block malformed DACP requests can reduce exposure. Additionally, organizations should conduct regular audits of their media server deployments to ensure that owntone-server instances are not unnecessarily exposed to the internet. Logging and monitoring of DACP traffic should be enhanced to detect anomalous or suspicious requests that could indicate exploitation attempts. Finally, maintaining an incident response plan for denial of service scenarios will help minimize downtime if exploitation occurs.