CVE-2025-31499

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.10.7

Description Jellyfin is an open source self-hosted media server. The issue concerns argument injection in FFmpeg, which can potentially lead to remote code execution by anyone with credentials to a low-privileged user. This is achievable through unauthenticated endpoints such as "/Videos//stream" and "/Videos//stream.", and possibly similar endpoints in AudioController. A valid itemId is required for exploitation, but any authenticated attacker could easily retrieve a valid itemId. The vulnerability allows for arbitrary file write, leading to possible remote code execution through the plugin system.

Recommendations For versions prior to 10.10.7, update to version 10.10.7 to resolve the issue. As a temporary workaround, consider restricting access to the unauthenticated endpoints "/Videos//stream" and "/Videos//stream." until the update is applied. Additionally, limiting the ability to retrieve valid itemId values can help minimize the risk of exploitation.