Nixpkgs security tracker
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
19 packages
- jellyfin-rpc
- jellyfin-tui
- jellyfin-web
- jellyfin-ffmpeg
- mopidy-jellyfin
- jellyfin-desktop
- jellyfin-mpv-shim
- jellyfin-media-player
- kodiPackages.jellyfin
- python312Packages.aiojellyfin
- python313Packages.aiojellyfin
- python314Packages.aiojellyfin
- mopidyPackages.mopidy-jellyfin
- home-assistant-component-tests.jellyfin
- tests.home-assistant-components.jellyfin
- python312Packages.jellyfin-apiclient-python
- python313Packages.jellyfin-apiclient-python
- python314Packages.jellyfin-apiclient-python
- tests.home-assistant-component-tests.jellyfin
-
@LeSuisse
ignored
maintainer.ignore
4 maintainers
- @purcell
- @nyanloutre
- @jojosch
- @minijackson
- @LeSuisse accepted
- @LeSuisse published on GitHub
Jellyfin: Potential Application DoS from excessively large SyncPlay group names
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.
References
-
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 x_refsource_MISC
Affected products
- ==< 10.11.7
Matching in nixpkgs
Ignored packages (19)
pkgs.jellyfin-rpc
Displays the content you're currently watching on Discord
pkgs.jellyfin-tui
Jellyfin music streaming client for the terminal
pkgs.jellyfin-web
Web Client for Jellyfin
pkgs.jellyfin-ffmpeg
Complete, cross-platform solution to record, convert and stream audio and video (Jellyfin fork)
pkgs.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.jellyfin-desktop
Jellyfin Desktop Client
pkgs.jellyfin-mpv-shim
Allows casting of videos to MPV via the jellyfin mobile and web app
pkgs.jellyfin-media-player
Jellyfin Desktop Client
pkgs.kodiPackages.jellyfin
Whole new way to manage and view your media library
pkgs.python312Packages.aiojellyfin
None
pkgs.python313Packages.aiojellyfin
None
pkgs.python314Packages.aiojellyfin
None
pkgs.mopidyPackages.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.home-assistant-component-tests.jellyfin
None
pkgs.tests.home-assistant-components.jellyfin
None
-
nixos-unstable -
- nixos-unstable-small 2026.4.2
pkgs.python313Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.python314Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.tests.home-assistant-component-tests.jellyfin
Open source home automation that puts local control and privacy first
Package maintainers
Ignored maintainers (4)
-
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@purcell Steve Purcell <steve@sanityinc.com>