Unauthenticated IP Spoofing Denial of Service Vulnerability in Jellyfin 10.9.0-10.10.6
A vulnerability exists in Jellyfin, an open source self-hosted media server, affecting versions 10.9.0 to before 10.10.7. The /System/Restart endpoint, designed for server administrators to restart their Jellyfin server, can be abused by an unauthenticated attacker. By spoofing their IP to appear as a local network IP, an attacker can restart the Jellyfin server process without authentication. This security flaw allows an attacker to mount a denial-of-service attack by repeatedly sending spoofed restart requests every few seconds. The IP spoofing technique bypasses certain security mechanisms and could potentially circumvent the admin restart requirement if combined with remote code execution. Jellyfin addressed this vulnerability in version 10.10.7, providing a fix for the improper IP validation and unauthorized server restart issue.
Vulmon