Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7.

N/A

参数注入或修改

Jellyfin 安全漏洞

Jellyfin是Jellyfin开源的一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品，可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin 10.11.7之前版本存在安全漏洞，该漏洞源于StreamOptions查询参数解析机制存在ffmpeg参数注入，可能导致未经身份验证的任意文件读取。

N/A

N/A