CVE-2025-32439

pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system's process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system's process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5

Configurations

No configuration.

History

No history.

Information

Published : 2025-04-15 20:15

Updated : 2025-04-16 13:25

NVD link : CVE-2025-32439

Mitre link : CVE-2025-32439

CVE.ORG link : CVE-2025-32439

JSON object : View

Products Affected

No product.

CWE

CWE-460

Improper Cleanup on Thrown Exception

{"id": "CVE-2025-32439", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-04-15T20:15:39.677", "references": [{"url": "https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-460"}]}], "descriptions": [{"lang": "en", "value": "pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system's process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system's process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0."}, {"lang": "es", "value": "Pleezer es un reproductor de Deezer Connect sin interfaz gr\u00e1fica. Los scripts de enlace de Pleezer pueden activarse por diversos eventos, como cambios de pista y cambios en el estado de reproducci\u00f3n. En versiones anteriores a la 0.16.0, estos scripts se generaban sin una depuraci\u00f3n de procesos adecuada, lo que dejaba procesos inactivos en la tabla de procesos del sistema. Incluso con un uso normal, cada cambio de pista y evento de reproducci\u00f3n dejaba procesos inactivos. Esto provoca un inevitable agotamiento de recursos con el tiempo, ya que la tabla de procesos del sistema se llena, lo que finalmente impide la creaci\u00f3n de nuevos procesos. El problema se agrava si los eventos ocurren r\u00e1pidamente, ya sea por el uso normal (por ejemplo, al saltarse una lista de reproducci\u00f3n) o por una posible manipulaci\u00f3n del tr\u00e1fico del protocolo Deezer Connect. Este problema se ha solucionado en la versi\u00f3n 0.16.0."}], "lastModified": "2025-04-16T13:25:59.640", "sourceIdentifier": "[email protected]"}