Plattform
other
Komponente
jellystat
Behoben in
1.1.4
CVE-2025-24960 describes a Path Traversal vulnerability affecting Jellystat, a statistics application for Jellyfin. This vulnerability allows an attacker to delete arbitrary files on the server, potentially disrupting the application or compromising sensitive data. The vulnerability impacts versions of Jellystat up to and including 1.1.3. A fix is available in version 1.1.3.
The primary impact of CVE-2025-24960 is the potential for unauthorized file deletion. While the vulnerability is restricted to administrator accounts, a successful exploit could lead to data loss, system instability, or even denial of service. An attacker gaining access to the Jellystat admin panel could leverage this vulnerability to delete critical configuration files, application binaries, or other sensitive data. The limited scope of administrator access somewhat mitigates the blast radius, but the ability to delete any file remains a significant risk.
CVE-2025-24960 was publicly disclosed on 2025-02-03. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's scope is limited to administrator access, which reduces the likelihood of widespread exploitation. It is not currently listed on the CISA KEV catalog. The EPSS score is likely low to medium, reflecting the need for administrator authentication.
Administrators of Jellyfin instances using Jellystat versions prior to 1.1.3 are at risk. Shared hosting environments where Jellyfin and Jellystat are installed could also be vulnerable if the administrator account is compromised.
disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-24960 is to immediately upgrade Jellystat to version 1.1.3 or later. As there are no known workarounds, upgrading is the only effective solution. Before upgrading, it is advisable to create a full backup of the Jellyfin and Jellystat data. After the upgrade, verify the integrity of the Jellystat installation by attempting to access the admin panel and confirming that the vulnerable endpoint (DELETE files/:filename) no longer exists or is properly secured.
Actualice Jellystat a la versión 1.1.3 o superior. Esta versión corrige la vulnerabilidad de path traversal. La actualización se puede realizar a través de los canales de distribución habituales de Jellystat.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24960 is a Path Traversal vulnerability in Jellystat versions up to 1.1.3, allowing attackers to delete files via the DELETE files/:filename route.
You are affected if you are using Jellystat version 1.1.3 or earlier. Upgrade to 1.1.3 to resolve the vulnerability.
Upgrade Jellystat to version 1.1.3 or later. There are no known workarounds for this vulnerability.
There are currently no known active exploits targeting CVE-2025-24960, but the vulnerability remains a risk.
Refer to the Jellyfin security advisories page for the latest information: [https://jellyfin.org/security/](https://jellyfin.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.