Argument Injection Vulnerability in Jellyfin Media Server
CVE-2025-31499
7.6HIGH
What is CVE-2025-31499?
Jellyfin Media Server is susceptible to an argument injection vulnerability that can potentially allow remote code execution. This issue primarily affects versions before 10.10.7 and can be exploited by authenticated users with low privileges who can access specific endpoints such as /Videos//stream. Despite a previous patch aimed at mitigating this problem, certain unsanitized parameters remain vulnerable, enabling attackers to perform arbitrary file writes. With authenticated access to a valid itemId, attackers may successfully carry out these exploits. The vulnerability has been addressed in the latest version, 10.10.7.
Affected Version(s)
jellyfin < 10.10.7