CVE-2025-24960 HIGH

CVE-2025-24960: Missing Input validation for filename in backups endpoint in Jellystat

Vendor Cyfershepard
Product Jellystat
Weakness CWE-22 · Path traversal
Published February 3, 2025
Last update February 12, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 3, 2025 CVE published
February 12, 2025 Record updated