Path Traversal Vulnerability in Jellystat Statistics App for Jellyfin
CVE-2025-24960

8.7HIGH

Key Information:

Vendor
Cyfershepard
Status
Jellystat
Vendor
CVE Published:
3 February 2025

Summary

The Jellystat Statistics App for Jellyfin has a path traversal vulnerability that allows unauthorized access to system files through user input in administrative routes. Specifically, the affected versions enable the use of the DELETE command on any specified file, posing a significant risk to system integrity. This issue is primarily restricted to administrative functions, yet it still warrants immediate attention. Users should upgrade to version 1.1.3 to mitigate this vulnerability, as there are no known workarounds available.

Affected Version(s)

Jellystat < 1.1.3

References

https://github.com/CyferShepard/Jellystat/security/adviso...
x_refsource_CONFIRM
https://github.com/CyferShepard/Jellystat/pull/303
x_refsource_MISC
https://cwe.mitre.org/data/definitions/22.html
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.