Freethestack

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions 10.9.0 through 10.10.6 **Description** The issue affects Jellyfin, an open source self-hosted media server. It involves the `/System/Restart` endpoint, which is intended for administrators to restart the Jellyfin server. However, this endpoint also authorizes requests from any device on the same local network as the Jellyfin server. Due to the method used to determine the source IP of a request, an unauthenticated attacker can spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This enables an unauthenticated attacker to mount a denial-of-service attack on any default-configured Jellyfin server by sending spoofed requests to restart the server repeatedly. The IP spoofing method also bypasses some security mechanisms and could potentially bypass the admin restart requirement if combined with remote code execution. **Recommendations** For Jellyfin versions 10.9.0 through 10.10.6, update to version 10.10.7 to resolve the issue. As a temporary workaround, consider restricting access to the `/System/Restart` endpoint to prevent unauthorized restarts until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.10.7 **Description** Jellyfin is an open source self-hosted media server. The issue concerns argument injection in FFmpeg, which can potentially lead to remote code execution by anyone with credentials to a low-privileged user. This is achievable through unauthenticated endpoints such as "/Videos/<itemId>/stream" and "/Videos/<itemId>/stream.<container>", and possibly similar endpoints in AudioController. A valid `itemId` is required for exploitation, but any authenticated attacker could easily retrieve a valid `itemId`. The vulnerability allows for arbitrary file write, leading to possible remote code execution through the plugin system. **Recommendations** For versions prior to 10.10.7, update to version 10.10.7 to resolve the issue. As a temporary workaround, consider restricting access to the unauthenticated endpoints "/Videos/<itemId>/stream" and "/Videos/<itemId>/stream.<container>" until the update is applied. Additionally, limiting the ability to retrieve valid `itemId` values can help minimize the risk of exploitation.