Cyber Resilience

CVE-2025-24960

High

Published: 03 February 2025

Published
03 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0019 41.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24960 is a high-severity Path Traversal (CWE-22) vulnerability in Mitre (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24960 is a path traversal vulnerability (CWE-22) in Jellystat, a free and open-source statistics application for the Jellyfin media server. In affected versions prior to 1.1.3, Jellystat directly incorporates user input into routing paths, allowing traversal beyond intended directories. The CVSS v3.1 base score is 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high severity due to potential impacts on confidentiality and integrity.

This vulnerability can be exploited by authenticated administrators with network access to the Jellystat instance. While most affected functionality is admin-only, limiting widespread abuse, the DELETE /files/:filename endpoint enables deletion of arbitrary files on the server, compromising data integrity and potentially exposing sensitive information through unauthorized access or manipulation.

The issue has been addressed in Jellystat version 1.1.3, and users are advised to upgrade immediately, as no workarounds exist. Additional details are available in the GitHub security advisory (GHSA-6x46-6w9f-ffv6) and the fixing pull request (#303).

EU & UK References

Vulnerability details

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is…

more

very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

The path traversal vulnerability in the DELETE /files/:filename endpoint directly enables deletion of arbitrary files outside intended directories, mapping to File Deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32808Shared CWE-22
CVE-2025-14520Shared CWE-22
CVE-2025-68862Shared CWE-22
CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-15589Shared CWE-22
CVE-2025-26752Shared CWE-22

Affected Assets

Mitre
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by requiring validation and sanitization of user-supplied filename inputs incorporated into application routes.

prevent

Remediates the specific path traversal flaw through timely flaw correction, such as upgrading Jellystat to version 1.1.3.

prevent

Enforces access control policies to restrict file deletion operations to authorized paths, limiting the impact of path traversal exploitation.

References