CVE-2025-32012

Name of the Vulnerable Software and Affected Versions Jellyfin versions 10.9.0 through 10.10.6

Description The issue affects Jellyfin, an open source self-hosted media server. It involves the /System/Restart endpoint, which is intended for administrators to restart the Jellyfin server. However, this endpoint also authorizes requests from any device on the same local network as the Jellyfin server. Due to the method used to determine the source IP of a request, an unauthenticated attacker can spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This enables an unauthenticated attacker to mount a denial-of-service attack on any default-configured Jellyfin server by sending spoofed requests to restart the server repeatedly. The IP spoofing method also bypasses some security mechanisms and could potentially bypass the admin restart requirement if combined with remote code execution.

Recommendations For Jellyfin versions 10.9.0 through 10.10.6, update to version 10.10.7 to resolve the issue. As a temporary workaround, consider restricting access to the /System/Restart endpoint to prevent unauthorized restarts until a patch is applied.