IP Spoofing Vulnerability in Jellyfin Media Server
CVE-2025-32012

4.6MEDIUM

Key Information:

Vendor: Jellyfin
Status: Jellyfin
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-32012?

The Jellyfin Media Server contains a vulnerability where the /System/Restart endpoint can be exploited by unauthenticated attackers. Despite being intended for administrative use, the endpoint's method of identifying the source IP address allows an attacker within the same local network to spoof their IP. This exploit enables repeated unauthorized server restarts, resulting in a denial-of-service condition. Moreover, if leveraged with remote code execution techniques, it poses significant security risks by bypassing the intended administrative controls. Users are advised to upgrade to version 10.10.7, which addresses this issue.

Affected Version(s)

jellyfin >= 10.9.0, < 10.10.7

References

https://github.com/jellyfin/jellyfin/security/advisories/...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin/commit/f625665cb116a...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Apr 1, 2025