Jellyfin Denial-of-Service Vulnerability in SyncPlay Group Creation Endpoint

A denial-of-service vulnerability has been identified in Jellyfin versions prior to 10.11.7. The issue arises in the SyncPlay group creation endpoint, where an authenticated user can create groups with names of unlimited length due to inadequate input validation. By sending large payloads along with arbitrary group IDs, an attacker can disrupt the endpoint for other clients trying to join SyncPlay groups. This exploitation significantly increases the memory usage of the Jellyfin process, potentially causing an out-of-memory crash.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the affected endpoint becomes unresponsive to other clients. Additionally, the increased memory consumption can cause the Jellyfin process to crash, disrupting the media server's availability.

Remediation

Users are advised to upgrade to Jellyfin version 10.11.7 or later, where this vulnerability has been fixed. Instructions for upgrading can be found in the Jellyfin release notes.