CVE-2025-32012 in Jellyfin
Summary
by MITRE • 04/15/2025
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/06/2025
The vulnerability described in CVE-2025-32012 represents a critical security flaw in Jellyfin media server software that affects versions 10.9.0 through 10.10.6. This issue stems from improper access control implementation within the /System/Restart endpoint, which was designed to provide administrators with the ability to restart their Jellyfin server. The endpoint's security model incorrectly assumes that local network devices should be trusted, creating an exploitable gap in the authentication mechanism that allows unauthorized users to gain administrative privileges through IP address spoofing techniques.
The technical flaw manifests in how Jellyfin determines the source IP address of incoming requests, particularly when dealing with requests that pass through proxies or load balancers. This vulnerability falls under CWE-284, which addresses improper access control, and specifically demonstrates weak trust assumptions in network security. The system's reliance on the X-Forwarded-For header or similar mechanisms without proper validation creates an opportunity for attackers to manipulate their apparent network location, making them appear as legitimate local network devices. This IP spoofing capability directly violates the principle of least privilege by allowing unauthenticated users to execute administrative functions.
The operational impact of this vulnerability is severe, as it enables unauthenticated denial-of-service attacks against default-configured Jellyfin installations. Attackers can repeatedly send spoofed restart requests to the server, causing continuous service disruption that renders the media server unavailable to legitimate users. This attack vector is particularly dangerous because it requires no authentication credentials and can be executed from anywhere on the internet, making it an attractive target for malicious actors seeking to disrupt media services. The vulnerability's potential for escalation becomes more concerning when combined with other exploits, as the same IP spoofing technique could potentially bypass additional security controls and even enable remote code execution scenarios.
The security implications extend beyond simple service disruption, as this vulnerability demonstrates poor network security architecture that fails to properly validate the authenticity of incoming requests. The attack methodology aligns with techniques described in the ATT&CK framework under T1499, which covers network denial of service attacks, and T1071, which addresses application layer protocols. Organizations running default Jellyfin configurations are particularly vulnerable since the attack requires no specialized tools or knowledge beyond basic network manipulation techniques. The patch in version 10.10.7 addresses the core issue by implementing proper IP validation mechanisms and strengthening the access control checks for administrative endpoints, ensuring that only legitimate local network devices can execute restart operations. This fix represents a critical improvement in the software's security posture and demonstrates the importance of proper input validation and access control implementation in server-side applications.