CVE-2021-21402 Overview
CVE-2021-21402 is a Path Traversal vulnerability affecting Jellyfin, a Free Software Media System. In versions prior to 10.7.1, certain endpoints improperly handle user-supplied input, allowing attackers to craft malicious requests that enable arbitrary file read from the Jellyfin server's file system. This vulnerability is particularly severe on Windows-based deployments due to path handling differences. Servers exposed to the public Internet are at elevated risk of exploitation.
Critical Impact
Authenticated attackers can read arbitrary files from the server's file system, potentially exposing sensitive configuration files, credentials, database contents, and other confidential data.
Affected Products
- Jellyfin versions prior to 10.7.1
- Jellyfin deployments on Windows (heightened risk)
- Jellyfin servers exposed to the public Internet
Discovery Timeline
- 2021-03-23 - CVE CVE-2021-21402 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21402
Vulnerability Analysis
This vulnerability stems from improper input validation in multiple Jellyfin API controllers, specifically in the HLS segment controller and the Image by Name controller. The application fails to properly sanitize user-supplied segment IDs and filename parameters before using them to construct file paths. Without adequate path canonicalization and boundary checks, attackers can inject directory traversal sequences (such as ../) to escape the intended directory and access arbitrary files on the server's file system.
The vulnerability allows authenticated users to read any file accessible to the Jellyfin process, which could include configuration files containing database credentials, API keys, user data, and other sensitive information. Windows systems are particularly susceptible due to differences in path normalization behavior compared to Unix-like systems.
Root Cause
The root cause is a classic CWE-22 (Path Traversal) vulnerability. The affected code directly concatenated user-supplied input with base directory paths without first resolving the full canonical path and validating that the resulting path remains within the intended directory. This allowed attackers to use relative path components to traverse outside the designated transcode or general paths.
Attack Vector
An authenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to vulnerable endpoints. The attack requires network access to the Jellyfin server and valid user credentials. By manipulating segment IDs or filename parameters with path traversal sequences, the attacker can read arbitrary files from the server's file system. The attack does not require user interaction beyond the attacker's own actions.
// Security patch in Jellyfin.Api/Controllers/HlsSegmentController.cs
{
// TODO: Deprecate with new iOS app
var file = segmentId + Path.GetExtension(Request.Path);
- file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+ var transcodePath = _serverConfigurationManager.GetTranscodePath();
+ file = Path.GetFullPath(Path.Combine(transcodePath, file));
+ var fileDir = Path.GetDirectoryName(file);
+ if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
+ {
+ return BadRequest("Invalid segment.");
+ }
return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
}
Source: GitHub Commit Update
// Security patch in Jellyfin.Api/Controllers/ImageByNameController.cs
: type;
var path = BaseItem.SupportedImageExtensions
- .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))
+ .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
.FirstOrDefault(System.IO.File.Exists);
if (path == null)
{
return NotFound();
}
+ if (!path.StartsWith(_applicationPaths.GeneralPath))
+ {
+ return BadRequest("Invalid image path.");
+ }
+
var contentType = MimeTypes.GetMimeType(path);
return File(System.IO.File.OpenRead(path), contentType);
}
Source: GitHub Commit Update
Detection Methods for CVE-2021-21402
Indicators of Compromise
- HTTP requests containing path traversal sequences (../, ..%2f, ..%5c) targeting /Videos/, /Audio/hls/, or /Images/ endpoints
- Unusual file access patterns in Jellyfin server logs showing access to files outside transcode or media directories
- Access attempts to sensitive system files such as /etc/passwd, web.config, or Windows system files through Jellyfin endpoints
- HTTP 400 responses with "Invalid segment" or "Invalid image path" messages (post-patch)
Detection Strategies
- Monitor web server access logs for requests containing encoded or unencoded path traversal sequences targeting Jellyfin API endpoints
- Implement Web Application Firewall (WAF) rules to detect and block directory traversal attempts
- Review Jellyfin application logs for file access operations outside expected media directories
- Deploy file integrity monitoring on sensitive system files to detect unauthorized read operations
Monitoring Recommendations
- Enable verbose logging on Jellyfin servers to capture detailed request information
- Configure SIEM alerts for path traversal patterns in HTTP request URLs and parameters
- Monitor for abnormal file read operations by the Jellyfin process user account
- Implement network segmentation to limit exposure of Jellyfin servers to untrusted networks
How to Mitigate CVE-2021-21402
Immediate Actions Required
- Upgrade Jellyfin to version 10.7.1 or later immediately
- If immediate upgrade is not possible, restrict network access to the Jellyfin server from untrusted networks
- Review server access logs for signs of exploitation
- Audit user accounts and remove unnecessary access to reduce the authenticated attack surface
Patch Information
Jellyfin has released version 10.7.1 which addresses this vulnerability. The fix implements proper path canonicalization using Path.GetFullPath() and validates that resolved file paths remain within the intended directories before serving file content. Users should update to this version or later as soon as possible. The security patch is available via the GitHub Release v10.7.1. Additional details can be found in the GitHub Security Advisory GHSA-wg4c-c9g9-rxhx.
Workarounds
- Restrict Jellyfin server exposure by placing it behind a VPN or firewall that limits access to trusted networks only
- Implement strict filesystem permissions to limit the files readable by the Jellyfin service account
- Deploy a reverse proxy with path filtering rules to block requests containing traversal sequences
- Disable unnecessary API endpoints if not required for your deployment
# Configuration example - Restrict Jellyfin to local network only using iptables
# Allow access from local network only (adjust CIDR as needed)
iptables -A INPUT -p tcp --dport 8096 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8096 -j DROP
# For reverse proxy path filtering (nginx example)
# Block path traversal attempts
location ~* \.\. {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
