CVE-2025-24960
📋 TL;DR
CVE-2025-24960 is a path traversal vulnerability in Jellystat (a statistics app for Jellyfin) that allows authenticated admin users to delete arbitrary files on the server. The vulnerability exists because user input is directly used in route parameters without proper sanitization. Only Jellystat installations with admin users are affected.
💻 Affected Systems
- Jellystat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious admin or compromised admin account could delete critical system files, leading to service disruption, data loss, or complete system compromise.
Likely Case
Accidental or intentional deletion of Jellyfin configuration files, media files, or application data by an admin user.
If Mitigated
Limited to deletion of files accessible to the Jellystat process user account, with proper file permissions reducing impact.
🎯 Exploit Status
Requires admin authentication. Exploitation involves crafting specific DELETE requests with path traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.3
Vendor Advisory: https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6x46-6w9f-ffv6
Restart Required: No
Instructions:
1. Stop Jellystat service. 2. Backup current installation. 3. Update to version 1.1.3 via package manager or manual download. 4. Restart Jellystat service.
🔧 Temporary Workarounds
No workarounds available
allThe advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Restrict admin access to only trusted personnel and implement strong authentication
- Implement file system permissions to limit Jellystat process to only necessary directories
🔍 How to Verify
Check if Vulnerable:
Check Jellystat version. If version is below 1.1.3, the system is vulnerable.Check Version:
Check Jellystat web interface or configuration files for version informationVerify Fix Applied:
Confirm Jellystat version is 1.1.3 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE requests to files endpoints with path traversal patterns (../ sequences)
- Multiple failed file deletion attempts from admin accounts
Network Indicators:
- HTTP DELETE requests to /files/ endpoints containing ../ patterns
SIEM Query:
http.method:DELETE AND http.uri:"/files/*" AND (http.uri:"*../*" OR http.uri:"*..\\*" OR http.uri:"*%2e%2e%2f*")