Componentpedia / Listings / Jellyfin.Naming / 10.9.11

Last update: 21/04/2025

Jellyfin.Naming

The Free Software Media System - Server Backend & API

Version: 10.9.11 registry icon
Safety score
70
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security Risks of Known Vulnerabilities
CVE-2025-32012
Threat level: MEDIUM | CVSS score: 5

Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.


CVE-2025-31499
Threat level: HIGH | CVSS score: 8

Previous versions of Jellyfin were vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in GHSA-866x-wj5j-2vf4 and patched in 10.8.13, but that patch can be bypassed. The original fix sanitizes some parameters to make injection impossible, but certain unsanitized parameters can still be used for argument injection. The same unauthenticated endpoints are vulnerable: /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container>, likely alongside similar endpoints in AudioController. As reported by @mawalu and @FredericLinn in the previous advisory, this argument injection can be exploited to achieve arbitrary file write, leading to possible remote code execution through the plugin system. To restate from their report, this is a vulnerability in unauthenticated endpoints, however a valid itemId is required for exploitation which isn't directly accessible for unauthenticated attackers. Any authenticated attacker could easily retrieve a valid itemId, though, which is all the information needed to exploit this vulnerability.


Please note that this component is affected by other vulnerabilities
Critical  |  High  |  Medium  |  Low  |  Suggest

Latest safe minor: 10.10.7 Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stability

Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   --

Latest minor release:   10.10.7

Latest major release:   --

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

GPL-3.0-only   -   GNU General Public License v3.0 only

Not a wildcard

Not proprietary

OSI Compliant