Nixpkgs security tracker
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
19 packages
- jellyfin-rpc
- jellyfin-tui
- jellyfin-web
- jellyfin-ffmpeg
- mopidy-jellyfin
- jellyfin-desktop
- jellyfin-mpv-shim
- jellyfin-media-player
- kodiPackages.jellyfin
- python312Packages.aiojellyfin
- python313Packages.aiojellyfin
- python314Packages.aiojellyfin
- mopidyPackages.mopidy-jellyfin
- home-assistant-component-tests.jellyfin
- tests.home-assistant-components.jellyfin
- python312Packages.jellyfin-apiclient-python
- python313Packages.jellyfin-apiclient-python
- python314Packages.jellyfin-apiclient-python
- tests.home-assistant-component-tests.jellyfin
-
@LeSuisse
ignored
maintainer.ignore
4 maintainers
- @jojosch
- @minijackson
- @nyanloutre
- @purcell
- @LeSuisse accepted
- @LeSuisse published on GitHub
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
References
-
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8 x_refsource_CONFIRM
Ignored references (1)
-
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 x_refsource_MISC
Affected products
- ==< 10.11.7
Matching in nixpkgs
Ignored packages (19)
pkgs.jellyfin-rpc
Displays the content you're currently watching on Discord
pkgs.jellyfin-tui
Jellyfin music streaming client for the terminal
pkgs.jellyfin-web
Web Client for Jellyfin
pkgs.jellyfin-ffmpeg
Complete, cross-platform solution to record, convert and stream audio and video (Jellyfin fork)
pkgs.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.jellyfin-desktop
Jellyfin Desktop Client
pkgs.jellyfin-mpv-shim
Allows casting of videos to MPV via the jellyfin mobile and web app
pkgs.jellyfin-media-player
Jellyfin Desktop Client
pkgs.kodiPackages.jellyfin
Whole new way to manage and view your media library
pkgs.python312Packages.aiojellyfin
None
pkgs.python313Packages.aiojellyfin
None
pkgs.python314Packages.aiojellyfin
None
pkgs.mopidyPackages.mopidy-jellyfin
Mopidy extension for playing audio files from Jellyfin
pkgs.home-assistant-component-tests.jellyfin
None
pkgs.tests.home-assistant-components.jellyfin
None
-
nixos-unstable -
- nixos-unstable-small 2026.4.2
pkgs.python313Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.python314Packages.jellyfin-apiclient-python
Python API client for Jellyfin
pkgs.tests.home-assistant-component-tests.jellyfin
Open source home automation that puts local control and privacy first
Package maintainers
Ignored maintainers (4)
-
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@purcell Steve Purcell <steve@sanityinc.com>