CVE-2024-44081 – This vulnerability in Jitsi Meet allows attacke... (How to Fix)

Q: What is the severity of CVE-2024-44081?

CVE-2024-44081 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Jitsi Meet allows attackers to inject malicious URLs into video sharing messages, causing clients to load content from arbitrary external sources. All users of affected Jitsi Meet instances are vulnerable to this cross-site scripting attack. The vulnerability affects the client-side rendering of video sharing functionality.

📋 TL;DR

This vulnerability in Jitsi Meet allows attackers to inject malicious URLs into video sharing messages, causing clients to load content from arbitrary external sources. All users of affected Jitsi Meet instances are vulnerable to this cross-site scripting attack. The vulnerability affects the client-side rendering of video sharing functionality.

💻 Affected Systems

Products:

Jitsi Meet

Versions: All versions before 2.0.9779

Operating Systems: All platforms running Jitsi Meet

Default Config Vulnerable: ⚠️ Yes

Notes: All Jitsi Meet deployments with video sharing enabled are vulnerable. Self-hosted and cloud instances are both affected.

📦 What is this software?

Jitsi Meet by 8x8

View all CVEs affecting Jitsi Meet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could load malicious JavaScript from external domains, leading to complete account takeover, session hijacking, or malware distribution to all meeting participants.

🟠

Likely Case

Attackers inject malicious URLs that load tracking scripts, steal session cookies, or redirect users to phishing sites during video conferences.

🟢

If Mitigated

With proper content security policies and input validation, the impact is limited to broken video functionality without code execution.

🌐 Internet-Facing: HIGH - Jitsi Meet instances accessible from the internet are directly exposed to any attacker who can join or observe meetings.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the ability to send messages in a Jitsi Meet room. The vulnerability is in the client-side rendering, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.9779 and later

Vendor Advisory: https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2024-0003.md

Restart Required: Yes

Instructions:

1. Update Jitsi Meet to version 2.0.9779 or later. 2. For self-hosted instances: Update via package manager or manual installation. 3. Restart all Jitsi Meet services. 4. Verify the update by checking the version in the web interface.

🔧 Temporary Workarounds

Disable video file sharing

all

Temporarily disable the vulnerable video sharing functionality

Set 'disableVideoFileSharing: true' in Jitsi Meet configuration

Implement strict CSP headers

all

Add Content Security Policy headers to restrict external resource loading

Add 'Content-Security-Policy: default-src 'self'; media-src 'self' https:' to web server configuration

🧯 If You Can't Patch

Implement network segmentation to isolate Jitsi Meet instances from sensitive systems
Enable meeting authentication to restrict access to trusted participants only

🔍 How to Verify

Check if Vulnerable:

Check Jitsi Meet version in web interface or via 'dpkg -l | grep jitsi-meet' on Debian/Ubuntu systems

Check Version:

dpkg -l | grep jitsi-meet-web  # For Debian/Ubuntu, or check web interface

Verify Fix Applied:

Confirm version is 2.0.9779 or later and test video sharing with external URLs to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual external URL patterns in Jitsi logs
Multiple failed video load attempts from external domains

Network Indicators:

Unexpected outbound connections from Jitsi clients to unknown domains during meetings
HTTP requests to external video hosting services

SIEM Query:

source="jitsi.log" AND (url CONTAINS "http://" OR url CONTAINS "https://") AND NOT url CONTAINS "expected-domain.com"

📊 Metadata

CVE ID: CVE-2024-44081

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: October 29, 2024

Last Updated: July 10, 2025

🔗 References

https://github.com/jitsi/jitsi-meet/compare/jitsi-meet_9672...jitsi-meet_9673 Patch
https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2024-0003.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44081, you might also want to check these: