Cyber Resilience

CVE-2025-32012

Medium

Published: 15 April 2025

Published
15 April 2025
Modified
06 October 2025
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 55.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32012 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Jellyfin Jellyfin. Its CVSS base score is 4.6 (Medium).

Operationally, ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Jellyfin is an open source self-hosted media server affected by an authorization bypass vulnerability in versions 10.9.0 through 10.10.6. The /System/Restart endpoint, which is intended to be restricted to administrators, incorrectly authorizes requests originating from any device on the same local network due to the way the server determines the source IP address of incoming requests. This flaw is tracked as CWE-290.

An unauthenticated remote attacker can exploit the weakness by spoofing a LAN source IP address in requests to the restart endpoint. Successful exploitation allows repeated restarts of the Jellyfin process, resulting in a denial-of-service condition on any default-configured instance; the same spoofing technique may also weaken other security controls or facilitate further attacks if combined with remote code execution.

The vulnerability is addressed in version 10.10.7, as detailed in the project's security advisory GHSA-qcmf-gmhm-rfv9 and the corresponding commit that enforces proper authentication checks on the endpoint.

EPSS scores for the CVE rose from a low baseline to a peak of 0.0174 on 2026-02-09 before receding to the current value of 0.0032, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from…

more

any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jellyfin
jellyfin
10.9.0 — 10.10.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

addresses: CWE-290

Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.

addresses: CWE-290

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

References