Honestly, is the problem that they need extra hands to fix these issues?
this post was submitted on 02 Apr 2025
230 points (100.0% liked)
Technology
38493 readers
417 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they've never been fixed. We'd definitely like to but doing so in a non-disruptive way is the hard part.
While I'm sure that some of the answer is in not having dev time to fix it... Their response makes it seem like they're not fully interested in fixing it for other reasons... In the case of this response, "Backwards compatibility".
Thats sad honestly, this is where open source excells, and refusing to fix an issue without a plan to address it as a tech debt is just a bad solution
It's a list from 2021 and as a cybersec researcher and Jellyfin user I didn't see anything that would make me say "do not expose Jellyfin to the Internet".
That's not to say there might be something not listed, or some exploit chain using parts of this list, but at least it's not something that has been abused over the last four years if so.
Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.
Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)
Edit: lol don’t look at OPs post history, now I know where the fearmongering came from
load more comments
(7 replies)
The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.
The entirity of jellyfin security is security via obscurity which is zero security at all.
"As a cybersec researcher", the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn't, means that likely either, you don't take your research very seriously, or you aren't a "cybersecurity researcher".
"Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they've never been fixed. We'd definitely like to but doing so in a non-disruptive way is the hard part."
Is truly one of the statements of all time.
load more comments
(38 replies)
Fully agreed. There's some stuff in the list that could leak server info or metadata about available content to the public, but the rest seems to require some knowledge before being able to exploit it, such as user IDs.
That doesn't mean these aren't issues, but they're not "take your jellyfin down now" type issues either.
load more comments
(4 replies)
Huh, I can't check the link right now... But if exposing Jellyfin to the Internet is not an option, then it is not ready to be shipped as the Plex replacement I have heard a lot here and on Reddit.
load more comments
(14 replies)
I'm not sure who needs to hear this, but unless you work as a security engineer or in another security-focused tech field, you really shouldn't be exposing your homelab to the open internet anyway
Most people access their homelabs via VPN - i don't see anything here that's a problem for that use-case.
Many people host websites ;)
And I would hope those websites are extremely low-risk and not anywhere near essential infrastructure or data ;)
load more comments
(6 replies)
For those unaware, it's a good idea to be using a service like tailscale (self hosted=headscale if you don't want to make your login credentials tied to apple, google, or Microsoft). It's a VPN but a lot simpler to use.
load more comments
(4 replies)
I remember when they were arguing that you don't need a VPN or proxy basic authentication in front of it because their team knows how to write secure code...
load more comments
(1 replies)
~~Many of these have already been fixed FWIW, it's not a collection of open issues.~~ Nevermind, they have only been closed, not fixed. Yikes.
No. None of the items are closed. Click the "closed" items. All of them are "Not planned. Duplicate, see 5415".
Edit: The biggest issue of unauthenticated streaming of content... https://github.com/jellyfin/jellyfin/issues/13777
Last opened last week. closed as duplicate. it's unaddressed completely.
That's really sad. Damn, how disappointing.
I mean it was closed as a duplicate of the collection, not closed.
I meant it's disappointing that they haven't addressed any of the security issues.
If my server is already open to everyone, what kind of potential attacks do i need to be worried a about? I dont keep personal files on my streaming server, its just videos, music and isos/roms. I dont restrict sign ups, so the idea of an unauthorized user doing something like download a video is a non issue for me really.
I do see where there could be problems for folks running jfin on the same server they keep private photos or for people who charge users for acess, but thats not me.
Am i missing something or is the main result of most of these that a "malicious" actor could dowload files jellyfin has access to without authentication?
With unrestricted signups, they can obtain their own account easily. With their own account they can enumerate all your other users.
If they have their own account they can just find your instance, make a login, collect all the proof they need that you're hosting content you don't own (illegally own) then serve you a court summons and ruin your life.
I wouldn't worry about the vulnerability in the link since your already wide open. But I wouldn't leave Jellyfin wide open either. Movie and TV studios are quite litigious.
I hope you're at least gatekeeping behind a vpn or something.
Edit: typo
load more comments
(5 replies)
load more comments
(1 replies)
@Scary_le_Poo I wouldn't say never, but in most cases, you're best served by sticking it behind wireguard- but this is also true of any service or tool you don't intend to make available to the greater internet
view more: next ›