Nixpkgs security tracker
9.9 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
19 packages
- jellyfin-rpc
- jellyfin-tui
- jellyfin-web
- jellyfin-ffmpeg
- mopidy-jellyfin
- jellyfin-desktop
- jellyfin-mpv-shim
- jellyfin-media-player
- kodiPackages.jellyfin
- python312Packages.aiojellyfin
- python313Packages.aiojellyfin
- python314Packages.aiojellyfin
- mopidyPackages.mopidy-jellyfin
- home-assistant-component-tests.jellyfin
- tests.home-assistant-components.jellyfin
- python312Packages.jellyfin-apiclient-python
- python313Packages.jellyfin-apiclient-python
- python314Packages.jellyfin-apiclient-python
- tests.home-assistant-component-tests.jellyfin
-
@LeSuisse
ignored
maintainer.ignore
4 maintainers
- @jojosch
- @nyanloutre
- @minijackson
- @purcell
- @LeSuisse accepted
- @LeSuisse published on GitHub
Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
References
-
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3 x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 x_refsource_MISC
Affected products
- ==< 10.11.7
Matching in nixpkgs
Ignored packages (19)
pkgs.jellyfin-rpc
Displays the content you're currently watching on Discord
pkgs.jellyfin-tui
Jellyfin music streaming client for the terminal
pkgs.jellyfin-web
Web Client for Jellyfin
pkgs.jellyfin-ffmpeg
Complete, cross-platform solution to record, convert and stream audio and video (Jellyfin fork)
pkgs.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.jellyfin-desktop
Jellyfin Desktop Client
pkgs.jellyfin-mpv-shim
Allows casting of videos to MPV via the jellyfin mobile and web app
pkgs.jellyfin-media-player
Jellyfin Desktop Client
pkgs.kodiPackages.jellyfin
Whole new way to manage and view your media library
pkgs.python312Packages.aiojellyfin
None
pkgs.python313Packages.aiojellyfin
None
pkgs.python314Packages.aiojellyfin
None
pkgs.mopidyPackages.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.home-assistant-component-tests.jellyfin
None
pkgs.tests.home-assistant-components.jellyfin
None
-
nixos-unstable -
- nixos-unstable-small 2026.4.2
pkgs.python313Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.python314Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.tests.home-assistant-component-tests.jellyfin
Open source home automation that puts local control and privacy first
Package maintainers
Ignored maintainers (4)
-
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@purcell Steve Purcell <steve@sanityinc.com>