Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP GET that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints /Items/*/RemoteImages/Download, /Items/RemoteSearch/Image and /Images/Remote via reverse proxy, or limit to known-friendly IPs.
Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community
Latest patch release: 10.7.7
Latest minor release: 10.8.4
Latest major release: --
Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.
GPL-3.0-only - GNU General Public License v3.0 only