CVE-2025-32439 (GCVE-0-2025-32439)
Vulnerability from cvelistv5 – Published: 2025-04-15 19:27 – Updated: 2025-04-15 20:14
VLAI?
Title
pleezer allows resource exhaustion through uncollected hook script processes
Summary
pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system's process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system's process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0.
Severity ?
6.5 (Medium)
CWE
- CWE-460 - Improper Cleanup on Thrown Exception
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| roderickvd | pleezer |
Affected:
< 0.16.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T20:14:12.882337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:14:22.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pleezer",
"vendor": "roderickvd",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system\u0027s process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system\u0027s process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-460",
"description": "CWE-460: Improper Cleanup on Thrown Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T19:27:18.885Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5"
}
],
"source": {
"advisory": "GHSA-472w-7w45-g3w5",
"discovery": "UNKNOWN"
},
"title": "pleezer allows resource exhaustion through uncollected hook script processes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32439",
"datePublished": "2025-04-15T19:27:18.885Z",
"dateReserved": "2025-04-08T10:54:58.369Z",
"dateUpdated": "2025-04-15T20:14:22.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-32439",
"date": "2026-04-30",
"epss": "0.00309",
"percentile": "0.54003"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-32439\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-15T20:15:39.677\",\"lastModified\":\"2025-04-16T13:25:59.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system\u0027s process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system\u0027s process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0.\"},{\"lang\":\"es\",\"value\":\"Pleezer es un reproductor de Deezer Connect sin interfaz gr\u00e1fica. Los scripts de enlace de Pleezer pueden activarse por diversos eventos, como cambios de pista y cambios en el estado de reproducci\u00f3n. En versiones anteriores a la 0.16.0, estos scripts se generaban sin una depuraci\u00f3n de procesos adecuada, lo que dejaba procesos inactivos en la tabla de procesos del sistema. Incluso con un uso normal, cada cambio de pista y evento de reproducci\u00f3n dejaba procesos inactivos. Esto provoca un inevitable agotamiento de recursos con el tiempo, ya que la tabla de procesos del sistema se llena, lo que finalmente impide la creaci\u00f3n de nuevos procesos. El problema se agrava si los eventos ocurren r\u00e1pidamente, ya sea por el uso normal (por ejemplo, al saltarse una lista de reproducci\u00f3n) o por una posible manipulaci\u00f3n del tr\u00e1fico del protocolo Deezer Connect. Este problema se ha solucionado en la versi\u00f3n 0.16.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-460\"}]}],\"references\":[{\"url\":\"https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32439\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T20:14:12.882337Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T20:14:17.320Z\"}}], \"cna\": {\"title\": \"pleezer allows resource exhaustion through uncollected hook script processes\", \"source\": {\"advisory\": \"GHSA-472w-7w45-g3w5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"roderickvd\", \"product\": \"pleezer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.16.0\"}]}], \"references\": [{\"url\": \"https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5\", \"name\": \"https://github.com/roderickvd/pleezer/security/advisories/GHSA-472w-7w45-g3w5\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system\u0027s process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system\u0027s process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-460\", \"description\": \"CWE-460: Improper Cleanup on Thrown Exception\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-15T19:27:18.885Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-32439\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T20:14:22.736Z\", \"dateReserved\": \"2025-04-08T10:54:58.369Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-15T19:27:18.885Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…