Executive Summary

This vulnerability exists in Jellyfin, an open source self-hosted media server, prior to version 10.11.10. It is a potential FFmpeg argument injection issue found in the subtitle conversion code. Specifically, the SubtitleEncoder.ConvertTextSubtitleToSrtInternal function interpolates the subtitle file path into FFmpeg command-line arguments without properly normalizing the path. On Linux systems, filenames can contain double-quote characters that break the argument quoting, allowing an attacker to inject arbitrary FFmpeg arguments.

The vulnerability can be exploited without authentication via the SubtitleController.GetSubtitle endpoint, which lacks authorization controls. An attacker who can place a file in the Jellyfin media library directory (for example, through a shared NAS, Samba share, or guest upload) can leverage this flaw to perform arbitrary file writes on the server and disclose information.

This vulnerability was fixed in Jellyfin version 10.11.10.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including arbitrary file write and information disclosure on the affected Jellyfin server. An attacker who can place a specially crafted file in the media library can exploit the FFmpeg argument injection to execute arbitrary commands or manipulate files on the server.

Because the vulnerability is reachable without authentication, it increases the risk of unauthorized access and control over the server, potentially leading to compromise of sensitive data or disruption of service.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Jellyfin to version 10.11.10 or later, where the issue has been fixed.

Additionally, restrict the ability of untrusted users to place files in the Jellyfin media library directories, such as shared NAS, Samba shares, or guest upload areas, to prevent attackers from exploiting the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to achieve arbitrary file write on the server and information disclosure without authentication. Such unauthorized access and potential data leakage can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over confidentiality and integrity of personal and sensitive information.

Because the vulnerability impacts confidentiality, integrity, and availability of data (as indicated by the high CVSS score of 8.8), organizations using affected Jellyfin versions may face compliance risks if sensitive data is exposed or altered due to exploitation.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Jellyfin server is running a version prior to 10.11.10 and if it allows unescaped subtitle file paths that could lead to FFmpeg argument injection.

You can check the Jellyfin version by running the following command on the server hosting Jellyfin:

• curl -s http://localhost:8096/System/Info | grep Version

To detect potential exploitation attempts or suspicious activity, monitor access logs for calls to the SubtitleController.GetSubtitle endpoint, which is accessible without authentication.

You can use commands like the following to search Jellyfin logs for such requests:

• grep "SubtitleController.GetSubtitle" /path/to/jellyfin/logs/*.log

Additionally, check for unusual filenames containing double-quote characters in your media library directories (e.g., shared NAS or Samba shares), as these can be used to exploit the vulnerability.

For example, to find files with double quotes in their names on Linux, you can run:

• find /path/to/media/library -name '*"*'

If such files exist and your Jellyfin version is vulnerable, your system may be at risk.

Useful 0 Not Useful 0