Argument Injection Vulnerability in Jellyfin Media Server
CVE-2025-31499

7.6HIGH

Key Information:

Vendor: Jellyfin
Status: Jellyfin
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-31499?

Jellyfin Media Server is susceptible to an argument injection vulnerability that can potentially allow remote code execution. This issue primarily affects versions before 10.10.7 and can be exploited by authenticated users with low privileges who can access specific endpoints such as /Videos//stream. Despite a previous patch aimed at mitigating this problem, certain unsanitized parameters remain vulnerable, enabling attackers to perform arbitrary file writes. With authenticated access to a valid itemId, attackers may successfully carry out these exploits. The vulnerability has been addressed in the latest version, 10.10.7.

Affected Version(s)

jellyfin < 10.10.7

References

https://github.com/jellyfin/jellyfin/security/advisories/...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin/commit/79f3ce53257c5...

x_refsource_MISC

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Mar 28, 2025