The Free Software Media System

Version: 10.7.0-rc3 registry icon
Safety score
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
Security Risks of Known Vulnerabilities
Threat level: MEDIUM | CVSS score: 5

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Threat level: MEDIUM | CVSS score: 5

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP GET that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints /Items/*/RemoteImages/Download, /Items/RemoteSearch/Image and /Images/Remote via reverse proxy, or limit to known-friendly IPs.

Please note that this component is affected by another vulnerability
1 High  |  0 Medium  |  0 Low  |  0 Suggest

Latest safe minor: 10.8.4 Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   10.7.7

Latest minor release:   10.8.4

Latest major release:   --


Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

GPL-3.0-only   -   GNU General Public License v3.0 only

Not a wildcard

Not proprietary

OSI Compliant