Authentication Bypass Vulnerability in Emby Server by Emby
CVE-2025-64325

8.4HIGH

Key Information:

Vendor: Embysupport
Status: Emby.security
Vendor: CVE Published:; 18 November 2025

🔔 Create Embysupport Vulnerability Alert

What is CVE-2025-64325?

Emby Server, a personal media server, is susceptible to an authentication bypass due to improper handling of the X-Emby-Client request header. Malicious users can exploit this vulnerability by sending a crafted authentication request that adds a manipulated client value to the devices section of the admin dashboard without adequate sanitization. This flaw poses a risk of unauthorized access and has been addressed in versions 4.8.1.0 and Beta version 4.9.0.0-beta. For detailed information, refer to the security advisory here.

Affected Version(s)

Emby.Security Emby Server (Web App) < 4.8.1.0 < Emby Server (Web App) 4.8.1.0

Emby.Security Emby Server Beta (Web App) < 4.9.0.0-beta < Emby Server Beta (Web App) 4.9.0.0-beta

References

https://github.com/EmbySupport/Emby.Security/security/adv...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Oct 30, 2025

JSON