CVE-2021-29490 Overview
CVE-2021-29490 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability affecting Jellyfin, a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Versions prior to 10.7.3 are vulnerable to SSRF attacks via the imageUrl parameter. This vulnerability potentially exposes both internal and external HTTP servers or other resources available via HTTP GET requests that are visible from the Jellyfin server.
Critical Impact
Unauthenticated attackers can leverage this SSRF vulnerability to probe internal network infrastructure, access sensitive internal services, or potentially bypass network security controls to reach otherwise protected resources.
Affected Products
- Jellyfin versions prior to 10.7.3
Discovery Timeline
- 2021-05-06 - CVE-2021-29490 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29490
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSRF flaw exists in Jellyfin's image handling functionality, specifically in the way the application processes the imageUrl parameter without proper validation. Because the affected endpoints do not require authentication, any unauthenticated attacker with network access to the Jellyfin server can exploit this vulnerability.
The scope of this vulnerability extends beyond the vulnerable application itself, as successful exploitation allows attackers to make requests to internal systems that would otherwise be unreachable from external networks. This can lead to information disclosure about internal network topology, access to internal services, and potential pivoting to other vulnerable systems.
Root Cause
The root cause of this vulnerability lies in insufficient input validation of user-supplied URLs in the imageUrl parameter. The Jellyfin server processes these URLs and makes HTTP GET requests on behalf of the user without properly restricting the target hosts or validating that the requested resource is an appropriate external image source. This allows attackers to specify arbitrary URLs, including those pointing to internal network resources.
Attack Vector
The vulnerability is exploitable via network access to the Jellyfin server. An attacker can craft malicious requests to the vulnerable API endpoints, specifying arbitrary URLs in the imageUrl parameter. The Jellyfin server will then make HTTP GET requests to these URLs, effectively acting as a proxy for the attacker.
The following API endpoints are affected:
- /Items/*/RemoteImages/Download
- /Items/RemoteSearch/Image
- /Images/Remote
An attacker could target internal services such as cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254), internal web applications, or other HTTP-accessible resources. The response from these internal requests may be returned to the attacker or can be inferred through timing analysis. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2021-29490
Indicators of Compromise
- Unusual HTTP requests from the Jellyfin server to internal IP addresses or cloud metadata endpoints
- Requests to the affected endpoints (/Items/*/RemoteImages/Download, /Items/RemoteSearch/Image, /Images/Remote) with suspicious imageUrl parameter values targeting internal resources
- Network connections from the Jellyfin server to unexpected internal services or ports
Detection Strategies
- Monitor web application firewall (WAF) logs for requests to the affected API endpoints containing internal IP addresses or localhost references in the imageUrl parameter
- Implement network monitoring to detect outbound HTTP connections from the Jellyfin server to internal IP ranges
- Review Jellyfin application logs for unusual remote image download requests
Monitoring Recommendations
- Deploy network segmentation rules to restrict the Jellyfin server's ability to reach sensitive internal services
- Configure alerting for any requests to cloud metadata endpoints from application servers
- Establish baseline network behavior for the Jellyfin server and alert on anomalies
How to Mitigate CVE-2021-29490
Immediate Actions Required
- Upgrade Jellyfin to version 10.7.3 or later immediately
- If immediate patching is not possible, implement the workarounds described below
- Audit logs for any signs of exploitation prior to patching
Patch Information
The vulnerability has been patched in Jellyfin version 10.7.3. Organizations running vulnerable versions should upgrade as soon as possible. The official security advisory is available at the Jellyfin GitHub Security Advisory.
Workarounds
- Disable external access to the vulnerable API endpoints via reverse proxy configuration: /Items/*/RemoteImages/Download, /Items/RemoteSearch/Image, and /Images/Remote
- Restrict access to these endpoints to known-friendly IP addresses only
- Implement network-level controls to limit the Jellyfin server's ability to make outbound HTTP requests to internal network ranges
# Example Nginx reverse proxy configuration to block vulnerable endpoints
location ~ ^/Items/.*/RemoteImages/Download {
deny all;
return 403;
}
location /Items/RemoteSearch/Image {
deny all;
return 403;
}
location /Images/Remote {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
