CVE-2025-32439: 
Rust vulnerability analysis and mitigation

pleezer, a headless Deezer Connect player, contains a vulnerability in versions before 0.16.0 related to improper process cleanup of hook scripts. These scripts, which can be triggered by track changes and playback state changes, were spawned without proper process cleanup, resulting in zombie processes remaining in the system's process table (GitHub Advisory). The vulnerability was discovered and disclosed on April 13, 2025, and affects all users who have configured hook scripts using the --hook option.

The vulnerability stems from improper process cleanup mechanisms where hook scripts triggered by various events like track changes and playback state changes leave behind zombie processes in the system's process table. This issue has been assigned CVE-2025-32439 with a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-460 (Improper Cleanup on Thrown Exception) (GitHub Advisory).

The primary impact is resource exhaustion as zombie processes accumulate in the system's process table over time. During normal usage, every track change and playback event leaves behind zombie processes, eventually leading to the system's process table becoming full. This can ultimately prevent new processes from being created. The impact is particularly severe if events occur rapidly, either through normal use (such as skipping through a playlist) or through potential manipulation of the Deezer Connect protocol traffic (GitHub Advisory).

The vulnerability has been fixed in version 0.16.0, which implements proper management of child processes using asynchronous process handling and cleanup. For users unable to upgrade immediately, several workarounds are available: disable hook scripts by removing the --hook option, ensure hook scripts handle their own child process cleanup, or regularly restart pleezer to clear accumulated zombie processes (GitHub Advisory).