CVE-2025-32012
CVE-2025-32012 is a high-severity vulnerability in Jellyfin with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-290.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v4: 4.6
- EPSS exploit prediction: 1% (48th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-10984
- Weakness: CWE-290
- Affected product: Jellyfin
- Published:
- Last modified:
Description
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
Frequently asked questions
- What is CVE-2025-32012?
- Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
- How severe is CVE-2025-32012?
- CVE-2025-32012 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2025-32012 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (48th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-32012?
- CVE-2025-32012 affects Jellyfin. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-32012?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-32012 have an EU (EUVD) identifier?
- Yes. CVE-2025-32012 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-10984.
- When was CVE-2025-32012 published?
- CVE-2025-32012 was published on 2025-04-15 and last updated on 2026-06-17.
References
- https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9
Affected products (1)
- cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*
More vulnerabilities in Jellyfin
- CVE-2026-31852 — Critical (CVSS 10.0): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is…
- CVE-2026-35031 — Critical (CVSS 9.9): Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the…
- CVE-2026-35033 — Critical (CVSS 9.1): Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary…
- CVE-2023-30627 — Critical (CVSS 9.0): jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to…
- CVE-2025-31499 — High (CVSS 8.8): Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in…
- CVE-2023-30626 — High (CVSS 8.8): Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory…
Other CWE-290 vulnerabilities
- CVE-2026-48567 — Critical (CVSS 10.0): Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-6213 — Critical (CVSS 10.0): A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check…
- CVE-2026-39858 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high…
- CVE-2025-66570 — Critical (CVSS 10.0): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability…
- CVE-2025-34063 — Critical (CVSS 10.0): A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure…
- CVE-2023-22814 — Critical (CVSS 10.0): An authentication bypass issue via spoofing was discovered in the token-based authentication mechanism that could allow…