IP Spoofing Vulnerability in Jellyfin Media Server
CVE-2025-32012

4.6MEDIUM

Key Information:

Vendor: Jellyfin
Status: Jellyfin
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-32012?

The Jellyfin Media Server contains a vulnerability where the /System/Restart endpoint can be exploited by unauthenticated attackers. Despite being intended for administrative use, the endpoint's method of identifying the source IP address allows an attacker within the same local network to spoof their IP. This exploit enables repeated unauthorized server restarts, resulting in a denial-of-service condition. Moreover, if leveraged with remote code execution techniques, it poses significant security risks by bypassing the intended administrative controls. Users are advised to upgrade to version 10.10.7, which addresses this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

jellyfin >= 10.9.0, < 10.10.7

References

https://github.com/jellyfin/jellyfin/security/advisories/...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin/commit/f625665cb116a...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Apr 1, 2025

JSON

Jellyfin

What is CVE-2025-32012?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.