CVE-2025-32012

Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585	Patch
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

History

06 Oct 2025, 16:49

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:jellyfin:jellyfin::::::::
First Time		Jellyfin jellyfin Jellyfin
References	~~() https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585 -~~	() https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585 - Patch
References	~~() https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9 -~~	() https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9 - Mitigation, Vendor Advisory

16 Apr 2025, 13:25

Type	Values Removed	Values Added
Summary		(es) Jellyfin es un servidor multimedia autoalojado de código abierto. En las versiones 10.9.0 y anteriores a la 10.10.7, el endpoint /System/Restart permite a los administradores reiniciar su servidor Jellyfin. Este endpoint está diseñado para uso exclusivo de administradores, pero también autoriza solicitudes desde cualquier dispositivo en la misma red local que el servidor Jellyfin. Gracias al método que Jellyfin utiliza para determinar la IP de origen de una solicitud, un atacante no autenticado puede falsificar su IP para que parezca una IP de LAN, lo que le permite reiniciar el proceso del servidor Jellyfin sin autenticación. Esto significa que un atacante no autenticado podría lanzar un ataque de denegación de servicio contra cualquier servidor Jellyfin con configuración predeterminada simplemente enviando la misma solicitud falsificada cada pocos segundos para reiniciar el servidor una y otra vez. Este método de suplantación de IP también elude algunos mecanismos de seguridad, provoca un ataque de denegación de servicio y, posiblemente, elude el requisito de reinicio del administrador si se combina con la ejecución remota de código. Este problema se solucionó en la versión 10.10.7.

15 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-15 20:15

Updated : 2025-10-06 16:49

NVD link : CVE-2025-32012

Mitre link : CVE-2025-32012

CVE.ORG link : CVE-2025-32012

JSON object : View

Products Affected

jellyfin

jellyfin

CWE

CWE-290

Authentication Bypass by Spoofing

7.5 /10