Jellyfin Path Traversal Vulnerability in Subtitle Upload Endpoint Allowing Remote Code Execution

A critical vulnerability chain has been identified in Jellyfin versions prior to 10.11.7, allowing a user with the 'Upload Subtitles' permission to execute remote code as root. The issue arises in the subtitle upload endpoint, where the Format field is not properly validated. This lack of validation enables path traversal through the file extension, leading to arbitrary file writes. Exploitation of this arbitrary file write can be combined with .strm files to read arbitrary files, extract database information, escalate privileges to admin, and ultimately execute code remotely as root using ld.so.preload.

Impact

Successful exploitation allows for remote code execution as root.

Remediation

Users are advised to upgrade to Jellyfin version 10.11.7. If an immediate upgrade is not possible, non-administrator users should not be granted subtitle upload permissions.