Platform
other
Component
jellystat
Fixed in
1.1.4
CVE-2025-24960 describes a Path Traversal vulnerability affecting Jellystat, a statistics application for Jellyfin. This vulnerability allows an attacker to delete arbitrary files on the server, potentially disrupting the application or compromising sensitive data. The vulnerability impacts versions of Jellystat up to and including 1.1.3. A fix is available in version 1.1.3.
The core impact of CVE-2025-24960 lies in the ability to delete files. While the vulnerability is restricted to administrator accounts, successful exploitation could lead to significant disruption. An attacker could delete critical configuration files, database files, or other essential components of the Jellyfin server, rendering it unavailable. The blast radius is limited to the server hosting Jellystat and its associated data, but the consequences of data loss or service disruption can be severe. This vulnerability highlights the importance of secure coding practices, especially when handling user-supplied input in administrative interfaces.
This vulnerability was publicly disclosed on 2025-02-03. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the restricted scope to administrator accounts and the lack of public exploits, the probability of exploitation is considered low to medium.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24960 is to upgrade Jellystat to version 1.1.3 or later. This version contains a fix that prevents the Path Traversal vulnerability. Since no workarounds are provided by the vendor, upgrading is the only viable option. Before upgrading, it's recommended to back up your Jellyfin configuration and data. After upgrading, verify the integrity of the Jellyfin installation by checking the Jellystat functionality and ensuring that no unauthorized files have been deleted.
Actualice Jellystat a la versión 1.1.3 o superior. Esta versión corrige la vulnerabilidad de path traversal. La actualización se puede realizar a través de los canales de distribución habituales de Jellystat.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24960 is a Path Traversal vulnerability in Jellystat versions up to 1.1.3, allowing attackers to delete files via the DELETE files/:filename route.
You are affected if you are using Jellystat version 1.1.3 or earlier. Upgrade to 1.1.3 to resolve the vulnerability.
Upgrade Jellystat to version 1.1.3 or later. There are no known workarounds for this vulnerability.
There are currently no known active exploits targeting CVE-2025-24960, but the vulnerability remains a risk.
Refer to the Jellyfin security advisories page for the latest information: [https://jellyfin.org/security/](https://jellyfin.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.