CVE-2025-24960

High

Published: 03 February 2025

Published

03 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0019 40.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24960 is a high-severity Path Traversal (CWE-22) vulnerability in Mitre (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal by requiring validation and sanitization of user-supplied filename inputs incorporated into application routes.

SI-2 Flaw Remediation good match

prevent

Remediates the specific path traversal flaw through timely flaw correction, such as upgrading Jellystat to version 1.1.3.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict file deletion operations to authorized paths, limiting the impact of path traversal exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

The path traversal vulnerability in the DELETE /files/:filename endpoint directly enables deletion of arbitrary files outside intended directories, mapping to File Deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is…

very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Deeper analysisAI

CVE-2025-24960 is a path traversal vulnerability (CWE-22) in Jellystat, a free and open-source statistics application for the Jellyfin media server. In affected versions prior to 1.1.3, Jellystat directly incorporates user input into routing paths, allowing traversal beyond intended directories. The CVSS v3.1 base score is 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high severity due to potential impacts on confidentiality and integrity.

This vulnerability can be exploited by authenticated administrators with network access to the Jellystat instance. While most affected functionality is admin-only, limiting widespread abuse, the DELETE /files/:filename endpoint enables deletion of arbitrary files on the server, compromising data integrity and potentially exposing sensitive information through unauthorized access or manipulation.

The issue has been addressed in Jellystat version 1.1.3, and users are advised to upgrade immediately, as no workarounds exist. Additional details are available in the GitHub security advisory (GHSA-6x46-6w9f-ffv6) and the fixing pull request (#303).