Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Honestly, is the problem that they need extra hands to fix these issues?
Many of these have already been fixed FWIW, it’s not a collection of open issues.Nevermind, they have only been closed, not fixed. Yikes.PluginsController only requires user privileges for potentially sensitive actions
- Includes, but is not limited to: Listing all plugins on the server without being admin, changing plugin settings, listing plugin settings without being admin. This includes the possibility of retrieving LDAP access credentials without admin privileges.
Outch
I remember when they were arguing that you don’t need a VPN or proxy basic authentication in front of it because their team knows how to write secure code…
There’s a bug (closed as won’t fix) where proxy basic authentication breaks jellyfin. You can’t use it.
I’m not sure who needs to hear this, but unless you work as a security engineer or in another security-focused tech field, you really shouldn’t be exposing your homelab to the open internet anyway
Most people access their homelabs via VPN - i don’t see anything here that’s a problem for that use-case.
I need to run a VPN already. Fine for desktop, but this isn’t a solution for mobile (where you can’t run two VPNs simultaneously)
If my server is already open to everyone, what kind of potential attacks do i need to be worried a about? I dont keep personal files on my streaming server, its just videos, music and isos/roms. I dont restrict sign ups, so the idea of an unauthorized user doing something like download a video is a non issue for me really.
I do see where there could be problems for folks running jfin on the same server they keep private photos or for people who charge users for acess, but thats not me.
Am i missing something or is the main result of most of these that a “malicious” actor could dowload files jellyfin has access to without authentication?
I guess the worst thing is that your server starts attacking the US military servers because you’ve become part of a botnet.
That happened to my friend one time when I installed Linux on his computer. He made the username and password the same 4-character word. Got a letter from the DoD.
I dont think they would be so forgiving these days. Especially if you’re brown.
Huh, I can’t check the link right now… But if exposing Jellyfin to the Internet is not an option, then it is not ready to be shipped as the Plex replacement I have heard a lot here and on Reddit.
Put the instance behind another authentication point like a VPN or reverse proxy with SSO. That will prevent the wider Internet from accessing it without legitimate users being cut off. You should be doing this with any server you operate (like Plex), but definitely one that may have legal implications.
aaaand now you smart tv can’t connect. none of them. the clients dont even support http basic auth creds put into the URL for some crazy reason.
for advanced HTTP-level authentication you would need to run a reverse proxy on the TV’s network that would add the authentication info. for the VPN idea you would need to tunnel the TV’s network’s internet connection at the router. or set up a gateway address in the TVs network settings that would do that. or use a reverse proxy here too so that it repeats the request to the real server.
but honestly, this is the real and only secure way anyway. I wouldn’t be comfortable to expose jellyfin even if the devs are real experts. I mean vulns get discovered, in dotnet, jellyfin dependencies, linux filesystem, and reverse proxy, and honestly who has time to always tightly keep up to date with all that.
that’s not to discount the seriousness of the issue though, it’s a real shame that jellyfin is so much against security
Your smart TV is (presumably) on your local network, so you should be routing the requests locally (point the client at the local ip, assuming it didn’t autodiscover it) not through the VPN/ tunnel.
Your smart TV is (presumably) on your local network
often, but not always. sometimes the TV is at a different house, when you are a guest or at a second property
In which case there are still ways to make it work, like putting in an SSO bypass rule for the IP of your other property. Point is, under no circumstances is it impossible to both have it be protected against scanning attacks like the ones described in the gh issue, and keep it available to use over the internet for authorized users.
I am sorry, I don’t think I follow, I am CGNATED anyway, so I need to use VPNs to access my server (if IPv6 is not available, for IPv4 I am experimenting with Tailscale funnels as of now).
You should already be fine in that case.
Agreed. I’m a bit disappointed that it’s being touted as such. If you need a local LAN option, use VLC Player.
It’s a list from 2021 and as a cybersec researcher and Jellyfin user I didn’t see anything that would make me say “do not expose Jellyfin to the Internet”.
That’s not to say there might be something not listed, or some exploit chain using parts of this list, but at least it’s not something that has been abused over the last four years if so.
Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.
Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)
Edit: lol don’t look at OPs post history, now I know where the fearmongering came from
but if you take normal precautions (i.e. don’t run this next to your classified information storage)
oh yeah I’m pretty sure the majority of users bought a dedicated machine for Jellyfin
More likely than other services due to HWA.
my impression was that people either just put a graphics card in their server, or run jellyfin from the desktop/laptop
The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.
The entirity of jellyfin security is security via obscurity which is zero security at all.
“As a cybersec researcher”, the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn’t, means that likely either, you don’t take your research very seriously, or you aren’t a “cybersecurity researcher”.
“Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.”
Is truly one of the statements of all time.
You can’t say that a solution is no security at all when it requires time and intelligence to bypass.
It is at least 0.01 security.
Effort or no, if an attacker can reasonably bypass it, it’s not secure. That’s why software gets security patches all the time, why encryption/hashing algorithms can fall out of favor, and why quantum computing can be pretty fucking scary.
No system is secure.
#confidentlyincorrect
The votes are not on your side
I didn’t say it’s secure, I just said it’s security.
You’re hiding behind literal definitions to avoid addressing the functional issue/implications.
This is like when somebody says “no one believes that“ and the other person finds a tweet by one person that believes the thing. The claim isn’t that literally not one person does, it’s that it’s so unusual you may as well act as if nobody does.
Surely you understand how people talk and basic vernacular?
Surely you understand how a stupid response to a silly statement like it is one of the sayings of all time can be appropriate in humorous situations, right?
I understand that you did not find it funny, but I hope that you can understand that it was my intention to be funny, and therefore a serious response is disproportionate.
I thought you were being serious as well. I’ve dealt with enough people who would genuinely make that argument so I assume nothing.
The humorous intent was not obvious.
So I have a NAS running Ubuntu I only keep my movies, my Jellyfin, and torrent software on in an isolated VLAN I stream from. I would think this would make any security issue with Jellyfin a dead end. I stream all content from Jellyfin domain I made and never use it locally. I stream off it at home from my VPN. This seems a safe way to stream where it can be used away from home unless I am missing something? Pointing out any holes in my logic is appreciated.
Use a VPN
Who has the technical wherewithal to run Jellyfin but leaves access on the open web? I get that sharing is part of the point, but no one’s putting their media collection on an open FTP server.
The level of convenience people expect without consequences is astounding. Going to be away for home for a few days? Load stuff onto an external SSD or SD card. Phoning home remotely makes no sense.
The typical guides for installing Jellyfin and friends, stop at the point where you can access the service, expecting you to secure it further.
Turns out, the default configuration for many (most) routers, is to allow external access to anything a local service will request it to allow, expecting you to secure it further.
Leaving it like that, is an explosive combo, which many users never intended to set up, but have nonetheless.
I get that sharing is part of the point, but no one’s putting their media collection on an open FTP server.
You would be very wrong about that. You can even search open FTP servers using Google
OK. I’ll revise. No one with any sense is doing this. “Hi, RIAA and MPAA, come after me” is an asinine approach. I realize we have at least one generation unfamiliar with Napster, KaZaa and LimeWire, which replaced ratio FTP servers (which in turn replaced F-Servs in IRC). This is terrible online hygiene. You don’t leave your media out there for all to see. At least password protect access before linking to your friends.
Friends, family using Jellyfin is the reason many have it directly available (and not behind VPN for example).
I know people are going to crucify me for this but just fucking use Plex at that point
thanks but no. I like my privacy more
And I like that my wife and kids can jump on and access my server whenever they want from any device without fuss. Everyone has their priorities! I take my privacy pretty seriously but I can’t make it the number one consideration at the cost of everything else all the time. Plus, Jellyfin is a security risk if you don’t know what you’re doing. I’m pretty tech savvy but it definitely pushes my limits so I do not feel comfortable setting it up and constantly maintaining it.
I’m not exposing jellyfin, but for sure I wouldn’t let my plex server even see the internet (I bet iy wouldn’t even work that way).
jellyfin is perfectly accessible everywhere it needs to be. been using a VPN on my phone for ages for all traffic.
They jacked their prices, or are about to anyway. If you don’t have a lifetime Plex pass then Plex might not be a viable option. My seedbox provider has been pushing people to Jellyfin for anyone without a Plex pass.
“Jacked their prices” is a tad dramatic and if you use Plex regularly you’d be foolish not to just buy the lifetime subscription when they put it on sale for like $80 every year. The price change this year was modest except for lifetime which went from $125-$250 with a heads up meaning you could’ve still gotten it at $125 before the change.
Do you know the details of the price change?
I thought I had a lifetime Plex pass, but turns out I was on yearly and the price went up $20/year, so I bought lifetime before the price went up. My whole family uses Plex, I couldn’t handle setting up Jellyfin for everyone and their devices.
Yeah if I was just serving myself I would’ve probably stuck with Jellyfin, but my wife and kids also use my server. Because of it we pay exactly $0 a month in subscriptions. Plex lifetime pass was a very easy decision to make.
If they do a complete heel turn tomorrow and fuck us all, I could simply shut it down. The money I’ve saved so far has been worth it.
Doesn’t have a sync play feature like Jellyfin does
I understand why you might find that useful but I do not think that is exactly the most important feature in the world to most people. I could also rattle off plenty of things Plex can do that Jellyfin can’t. I have used both and the fact of the matter is just am willing to take the trade offs for the simplicity of Plex. You do you!
So what’s the alternative? VPNs are unreliable
Unreliable how?
Possibly some ISP interference with the OpenVPN protocol. Apparently that can happen sometimes
You can always funnel all your VPN traffic through a more typical port, like 80, and there’s very little anyone can do to distinguish between your traffic and typical web traffic.
If your ISP causes issues with inbound traffic to your home network, just add another link to the chain to include a cloud-hosted server, or host it all entirely in the cloud (if you find a trustworthy one with a reasonable cost).
wireguard has been going fine here for 5+ years. only problems were when that garbage raspberry crashed as it always does (but that’s an issue with the hardware) and when the IP changes, but that’s mitigated by dynamic DNS
I think you can IP whitelist who can access it no? That should solve any problems
There is zero (0) chance of an attacker to know and then spoof address of your friend unless you have even bigger problems. Good filter should simply not respond to any packets making very existence of exploitable site undetectable.
Wrong use case, the expected one is friends and family watching stuff on your Jellyfin server from different homes, potentially through mobile, all with dynamic IPs
Perfect use for allowlisting based on dynamic DNS hostnames.
is that a feature in Jellyfin? and since when do all ISP subscribers have names in DNS?
You would set up the allowlist in your firewall. There are plenty of free options for dynamic DNS though not from any ISPs that I’m aware of.
oh, in your firewall. I think I can count the percents on one hand about how much of jellyfin users run a firewall applience besides it
deleted by creator
Does your friend have a static IP? Unlikely considering that you have to pay extra for a static IP.
We are lucky, we get two free. Technically they aren’t true static, its tied to MAC of your modem, or your router(s) – with ISP modem in bridge mode. You can pay for true static, but I have probably had the same IP for 5 years, and same with the modem/routerbeforre this one.
deleted by creator
