Jellyfin IP Spoofing Vulnerability in Restart Endpoint Allows Denial-of-Service Attack

A vulnerability in Jellyfin versions 10.9.0 prior to 10.10.7 allows unauthenticated attackers to spoof their IP address to appear as if they are on the same local network as the Jellyfin server. This exploitation targets the /System/Restart endpoint, which is meant for administrators only. The IP spoofing bypasses authentication, enabling attackers to repeatedly restart the Jellyfin server process and cause a denial-of-service condition. Additionally, this spoofing could potentially bypass other security measures and interact with servers that have remote access disabled.

Impact

Exploitation of this vulnerability allows for unauthenticated denial-of-service attacks on default-configured Jellyfin servers by repeatedly restarting the server process. This disruption can be particularly damaging, as it interrupts service availability and could lead to a degraded user experience.

Remediation

Users are advised to update to Jellyfin version 10.10.7 or later. For those using version 10.10.7, the X-Forwarded-For header is no longer trusted by default, mitigating the IP spoofing vector. However, administrators must explicitly configure trusted proxies to avoid blocking incoming connections.