Jellyfin FFmpeg Argument Injection Vulnerability Allowing Remote Code Execution

A vulnerability allowing argument injection in FFmpeg has been identified in Jellyfin versions prior to 10.10.7. This issue can be exploited by authenticated users with low privileges to potentially execute remote code. The vulnerability arises from certain parameters not being properly sanitized, allowing injection that could be leveraged for arbitrary file writing and execution of malicious code through the plugin system. The affected endpoints are '/Videos/<itemId>/stream' and '/Videos/<itemId>/stream.<container>', as well as similar endpoints in the AudioController.

Impact

Exploitation of this vulnerability could lead to remote code execution on the server where Jellyfin is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a request to one of the vulnerable video stream endpoints, including an unsanitized parameter that injects malicious arguments into FFmpeg. This can be done by first retrieving a valid itemId, which is accessible to authenticated users.

Remediation

Users can update to Jellyfin version 10.10.7 or later, where this vulnerability has been patched.