Seerr Unauthenticated Account Registration Vulnerability via Jellyfin Authentication on Plex-Configured Instances

A logic flaw in the authentication guard of the Seerr application allows unauthenticated attackers to register accounts on Plex-configured instances by using an attacker-controlled Jellyfin server for authentication. This vulnerability affects Seerr versions 2.0.0 prior to 3.1.0. Once an account is registered, the attacker gains an authenticated session with default permissions, including the ability to submit media requests to Radarr or Sonarr.

Impact

Exploitation of this vulnerability allows for unauthenticated account registration on Plex-configured Seerr instances, bypassing access controls and granting attackers authenticated sessions with default permissions.

Reproduction

To reproduce this vulnerability, deploy Seerr version 2.0.0 prior to 3.1.0 with the default settings, ensuring that 'settings.main.mediaServerType' is set to 'PLEX', 'settings.jellyfin.ip' is empty, and 'settings.main.newPlexLogin' is true. Then, send a POST request to '/api/v1/auth/jellyfin' with details of a controlled Jellyfin server. The request will be processed, and a new Seerr account will be created, bypassing the authentication guard.

Remediation

Users can upgrade to Seerr version 3.1.0, which addresses this vulnerability.