CVE-2025-24960 in Jellystat
Summary
by MITRE • 02/03/2025
Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/03/2025
The vulnerability identified as CVE-2025-24960 affects Jellystat, a statistics application designed for the Jellyfin media server platform. This open source tool provides analytical capabilities for monitoring Jellyfin server performance and user activity. The security flaw stems from improper input validation within the application's routing mechanism, specifically when processing user-provided data in URL paths. The vulnerability manifests as a path traversal condition that allows attackers to manipulate file system access through crafted requests. According to CWE classification, this represents a weakness in input validation where user-supplied data is directly incorporated into file system operations without adequate sanitization or verification.
The technical implementation of this vulnerability occurs when Jellystat processes file operations through its RESTful API endpoints. The application's route handling directly incorporates user input into file path resolution without proper validation or sanitization measures. This design flaw enables an attacker to construct malicious paths that can traverse the file system hierarchy beyond intended boundaries. The vulnerability is particularly concerning because it affects administrative functionality, though the scope of potential abuse remains limited due to the requirement for administrative privileges. However, the specific DELETE endpoint for files presents a significant risk as it allows arbitrary file deletion on the server, potentially compromising system integrity and data availability.
The operational impact of this vulnerability extends beyond simple path traversal to include potential data destruction and system compromise. While the vulnerability requires administrative access to exploit, the combination of path traversal and file deletion capabilities creates a dangerous attack vector. An attacker with administrative credentials could leverage this vulnerability to delete critical system files, configuration data, or user content, potentially causing service disruption or complete system compromise. The attack surface is further reduced by the fact that this functionality is restricted to administrators, but the potential for privilege escalation or credential theft remains a concern. According to ATT&CK framework, this vulnerability maps to T1078 (Valid Accounts) and T1485 (Data Destruction) tactics, as it requires legitimate administrative access but can lead to destructive outcomes.
Security mitigation for this vulnerability requires immediate upgrade to Jellystat version 1.1.3, which contains the necessary patches to address the path traversal and file deletion issues. The fix implements proper input validation and sanitization measures that prevent user-supplied data from being directly incorporated into file system operations. Organizations should also implement additional monitoring for unusual file deletion patterns and ensure that administrative privileges are strictly controlled and monitored. No known workarounds exist for this vulnerability, making the upgrade the only effective remediation approach. System administrators should verify that the updated version properly resolves the path traversal conditions and that all file operations are now properly validated before execution. The vulnerability highlights the importance of secure coding practices and proper input validation in web applications, particularly those handling file system operations and administrative functions.