Vulnerability Description
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | >= 10.9.0, < 10.10.7 |
Related Weaknesses (CWE)
References
- https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956ePatch
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9MitigationVendor Advisory
FAQ
What is CVE-2025-32012?
CVE-2025-32012 is a vulnerability with a CVSS score of 7.5 (HIGH). Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpo...
How severe is CVE-2025-32012?
CVE-2025-32012 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32012?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.