Jellyfin
CVE-2025-32012
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
AnalysisAI
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified under CWE-290. Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7. Affected products include: Jellyfin. Version information: before 10.10.7.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerab
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (
Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, lo
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. R
Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely ex
Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple ap
jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulner
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4),
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4
In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulner
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allShare
External POC / Exploit Code
Leaving vuln.today