CVE-2021-29490
CVE-2021-29490 is a medium-severity vulnerability in Jellyfin with a CVSS 3.x base score of 5.8. Its EPSS exploit-prediction score of 70% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Medium (CVSS 3.x base score 5.8)
- CVSS v2: 5.0
- EPSS exploit prediction: 70% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-918
- Affected product: Jellyfin
- Published:
- Last modified:
Description
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.
Frequently asked questions
- What is CVE-2021-29490?
- Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.
- How severe is CVE-2021-29490?
- CVE-2021-29490 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-29490 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 70% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-29490?
- CVE-2021-29490 affects Jellyfin. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-29490?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-29490 published?
- CVE-2021-29490 was published on 2021-05-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*
More vulnerabilities in Jellyfin
- CVE-2026-31852 — Critical (CVSS 10.0): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is…
- CVE-2026-35031 — Critical (CVSS 9.9): Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the…
- CVE-2026-35033 — Critical (CVSS 9.1): Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary…
- CVE-2023-30627 — Critical (CVSS 9.0): jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to…
- CVE-2025-31499 — High (CVSS 8.8): Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in…
- CVE-2023-30626 — High (CVSS 8.8): Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory…
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →