Mawalu

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.8.13 **Description** The issue concerns an argument injection in the VideosController, specifically the "/Videos/<itemId>/stream" and "/Videos/<itemId>/stream.<container>" endpoints, which are reachable by an unauthenticated user. Additional endpoints in the AudioController might also be vulnerable. To exploit this, an attacker must guess a random GUID, `itemId`, making direct exploitation unlikely without an additional information leak. The `videoCodec` and `audioCodec` query parameters are vulnerable to argument injection, allowing an attacker to inject arguments into the FFmpeg command line. This could potentially enable overwriting an arbitrary file with malicious content. **Recommendations** For versions prior to 10.8.13, upgrade to version 10.8.13 or later to address the vulnerability. As a temporary workaround, consider restricting access to the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints until the upgrade is possible. Additionally, limiting the use of query parameters such as `videoCodec` and `audioCodec` can help minimize the risk of exploitation.