CVE-2024-43801
📋 TL;DR
Jellyfin's user profile image upload accepts SVG files that can contain malicious JavaScript. When an admin user views such an image outside the Jellyfin Web UI (e.g., via browser 'view image'), the script can steal their AccessToken from browser LocalStorage and use it to elevate privileges to administrator. This affects all Jellyfin instances with vulnerable versions where SVG uploads are enabled.
💻 Affected Systems
- Jellyfin
📦 What is this software?
Jellyfin by Jellyfin
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrator access to the Jellyfin server, allowing full control over media, users, and server configuration.
Likely Case
Limited impact due to the requirement for an admin to manually view the SVG outside the Web UI; most attacks would fail at this step.
If Mitigated
With proper patching, SVG files are treated as attachments and downloaded instead of viewed, preventing LocalStorage access and exploitation.
🎯 Exploit Status
Exploit requires an attacker to upload a malicious SVG as a user profile image and trick an admin into viewing it outside the Web UI (e.g., via browser). Public proof-of-concept details are available in the advisory links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.9.10
Vendor Advisory: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-vcmh-9wx9-rfqh
Restart Required: Yes
Instructions:
1. Backup your Jellyfin data and configuration. 2. Upgrade Jellyfin to version 10.9.10 or later using your package manager (e.g., apt, yum, Docker pull). 3. Restart the Jellyfin service to apply changes. 4. Verify the upgrade by checking the version in the Web UI or via command line.
🔧 Temporary Workarounds
Disable SVG uploads via configuration
allModify Jellyfin configuration to block SVG file uploads for user profile images, preventing malicious SVG files from being uploaded.
Edit Jellyfin's configuration file (e.g., /etc/jellyfin/system.xml) and set allowed image extensions to exclude .svg, or use Web UI settings if available.
Restrict admin image viewing
allEducate administrators to avoid viewing user profile images outside the Jellyfin Web UI, reducing the chance of triggering the exploit.
🧯 If You Can't Patch
- Disable user profile image uploads entirely in Jellyfin settings to prevent SVG file uploads.
- Implement network segmentation to isolate Jellyfin server from untrusted users and limit admin access to trusted networks only.
🔍 How to Verify
Check if Vulnerable:
Check the Jellyfin version via the Web UI (Dashboard > Server > General) or command line (e.g., 'jellyfin --version' or check package version). If version is below 10.9.10, it is vulnerable.Check Version:
jellyfin --version # or check via package manager like 'apt list --installed | grep jellyfin' on LinuxVerify Fix Applied:
After upgrading, confirm version is 10.9.10 or higher. Test by uploading an SVG file as a user profile image; it should be downloaded as an attachment, not rendered in the browser.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads to user profile images, especially from non-admin users.
- API calls from unexpected sources attempting privilege escalation using stolen tokens.
Network Indicators:
- HTTP requests for SVG files with suspicious JavaScript content in payloads.
- Outbound connections from Jellyfin server to unknown IPs if token exfiltration occurs.
SIEM Query:
source="jellyfin.log" AND ("upload" AND ".svg") OR ("AccessToken" AND "elevate")