Skip to main content


I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet


Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...
in reply to Scary le Poo

I'm not smart, can you tell me if having it behind a reverse proxy with certs and everything fixes any of these flaws?
in reply to walden

Only if the reverse proxy has its own login on top of Jellyfin's, and even that only mitigates some of them.

Technology reshared this.

in reply to walden

Not really, no. These are application flaws. Caddy will happily do its job and just let bad actors abuse them. (Unless you mean mTLS certs, then Caddy would only respond to those having a client certificate, which hopefully reduces the number of bad actors to your users😉)
in reply to walden

Many of the issues are related to unauthenticated requests. Even though your reverse proxy provides SSL, Jellyfin still won’t know the difference between you and a random internet user. So, no, your setup doesn’t mitigate the security risks much at all.
in reply to walden

I'm also an absolute dumbfuck. And I can confidently tell you, as a matter of fact, that I don't know.

I'm running SWAG reverse proxy, my DNS is not tunneled, I share my Jellyfin with others outside my network.

My primary concern is my server gets hacked, or I get charged with distributing 'public domain movies'

in reply to Zozano

Hacking, even on an insecure system, would be illegal. Any copyright troll trying to sue a single user for having a private jellyfin instance which they hacked to find out about would probably have a hard time actually making a case.

"Yeah, this one guy was distributing films to himself and a few friends. I know because I hacked him" doesn't seem like a good case.

in reply to walden

Not unless the reverse proxy adds some layer of authentication as well. Something like HTTP basic auth, or mTLS (AKA 2-way TLS AKA client certificates)

For nginx: docs.nginx.com/nginx/admin-gui…

so if I add a user ”john” with password “mypassword” to video.example.com, you can try adding the login as: “https://john:mypassword@video.example.com”

Most HTTP clients (e.g. browsers) support adding login like that. I don’t know what other jellyfin clients do that.

The other option is to set up a VPN (I recommend wireguard)

This entry was edited (23 hours ago)
in reply to

You can't do that with jellyfin.

Basic auth doesn't work with jellyfin. Its a bug. Enable it on your reverse proxy, and jellyfin breaks. Devs closed it as wontfix

in reply to walden

in reply to Scary le Poo

It's a list from 2021 and as a cybersec researcher and Jellyfin user I didn't see anything that would make me say "do not expose Jellyfin to the Internet".

That's not to say there might be something not listed, or some exploit chain using parts of this list, but at least it's not something that has been abused over the last four years if so.

in reply to troed

The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.

The entirity of jellyfin security is security via obscurity which is zero security at all.

"As a cybersec researcher", the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn't, means that likely either, you don't take your research very seriously, or you aren't a "cybersecurity researcher".

"Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they've never been fixed. We'd definitely like to but doing so in a non-disruptive way is the hard part."

Is truly one of the statements of all time.

This entry was edited (23 hours ago)
in reply to Scary le Poo

You can't say that a solution is no security at all when it requires time and intelligence to bypass.

It is at least 0.01 security.

in reply to bizarroland

Effort or no, if an attacker can reasonably bypass it, it's not secure. That's why software gets security patches all the time, why encryption/hashing algorithms can fall out of favor, and why quantum computing can be pretty fucking scary.
in reply to bizarroland

You’re hiding behind literal definitions to avoid addressing the functional issue/implications.

This is like when somebody says “no one believes that“ and the other person finds a tweet by one person that believes the thing. The claim isn’t that literally not one person does, it’s that it’s so unusual you may as well act as if nobody does.

Surely you understand how people talk and basic vernacular?

This entry was edited (21 hours ago)
in reply to LandedGentry

Surely you understand how a stupid response to a silly statement like it is one of the sayings of all time can be appropriate in humorous situations, right?

I understand that you did not find it funny, but I hope that you can understand that it was my intention to be funny, and therefore a serious response is disproportionate.

in reply to bizarroland

The humorous intent was not obvious.
This entry was edited (18 hours ago)
in reply to LandedGentry

When "hundredths fractions of security" fails to get a laugh, I know I'm in the wrong group of people.
in reply to LandedGentry

No, in this case it's true independent of my opinion or perspective.
in reply to Pudutr0n

I’d love to see your homework on that. Must be really interesting data points here. I’d love the ability to prove my opinions and ramblings on the Internet are “objectively true.”

All this BS aside I was clearly wrong because they said so. It was a mistake. You’re going to survive.

This entry was edited (8 hours ago)
in reply to LandedGentry

This entry was edited (8 hours ago)
in reply to Pudutr0n

I’m not upset, you’re just being annoying. And for somebody who says you don’t care or otherwise not invested in all of this, this comment is pretty damn long. So I skipped to the end, have a great rest of your week as well I guess. Assuming you’re actually being sincere.

And before you complain that it’s disrespectful of me to not even read what you wrote or whatever, frankly I found it very disrespectful that you opened up by trying to make me sound emotional and unable to process this rationally and tried to diagnose me (which as someone with autism I’m sure you understand how problematic that is to do to a stranger online after like 2 comments).

A lot of this is simply a really rude Internet argument tactic that I don’t appreciate. I’m calm. I’m being rational. You’re just being rude and again, problematic.

This entry was edited (8 hours ago)
in reply to LandedGentry

No, you misunderstood. I do care, but not about the issue.
About you.

I could be wrong about the issue.

in reply to LandedGentry

I'm sorry I upset you, but yes, you were coming off a little emotional.

I didn't mean to be rude.

What I shared was a personal story about my life which is painful for me to remember. I don't go around sharing shit stuff with people who want to harm me. I share it with people who i think could benefit from it.

I really hope you have an awesome day cause to me, regardless of anything that's been said, you seem like an awesome person. ❤

in reply to Pudutr0n

I’m going to try and take a step back here and really give you a more charitable interpretation.

I am sorry I had such a reaction in some ways. I do not appreciate the implications and accusations you threw my way, but I can believe that they were not meant to be like that and I can get past it. Have a good rest of your week.

in reply to bizarroland

I thought you were being serious as well. I've dealt with enough people who would genuinely make that argument so I assume nothing.
in reply to Scary le Poo

How is someone meant to guess what seems to be a randomly generated id? If they try to brute force it then you could probably set up something like fail2ban to block them after a few failed attempts.

I’m not saying video ids shouldn’t require authentication, they should but the risk of someone getting the video id seems fairly low.

in reply to Link

It isn't randomly generated. If you read through you would have known that.

Also, Rainbow tables.

tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They're less effective against hashes protected by a unique salt.

This entry was edited (21 hours ago)
in reply to Scary le Poo

If the ID is the MD5 of the path, rainbow tables are completely useless. You don't have the hash. You need to derive the hash by guessing the path to an existing file, for each file.
in reply to i_am_not_a_robot

How unique do you suppose file system paths are?

How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.

The scanning for known releases becomes trivial once the file system pattern is known.

in reply to Clent

I've not looked but if the video id is based on its path, then surely the path includes the filename no? You can't split a hash into its separate original parts, you either guess the entire thing or not. So in that case, the hash is going to challenging to brute force.
in reply to lazynooblet

It's not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it's basically impossible.
in reply to Clent

If the server is using a standard path prefix and a standard file layout and is using standard file names it isn't that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.

But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.

in reply to troed

Fully agreed. There's some stuff in the list that could leak server info or metadata about available content to the public, but the rest seems to require some knowledge before being able to exploit it, such as user IDs.

That doesn't mean these aren't issues, but they're not "take your jellyfin down now" type issues either.

in reply to troed

So I have a NAS running Ubuntu I only keep my movies, my Jellyfin, and torrent software on in an isolated VLAN I stream from. I would think this would make any security issue with Jellyfin a dead end. I stream all content from Jellyfin domain I made and never use it locally. I stream off it at home from my VPN. This seems a safe way to stream where it can be used away from home unless I am missing something? Pointing out any holes in my logic is appreciated.
This entry was edited (16 hours ago)
in reply to troed

Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.

Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)

Edit: lol don’t look at OPs post history, now I know where the fearmongering came from

This entry was edited (15 hours ago)
in reply to ilega_dh

This entry was edited (7 hours ago)
in reply to

If I have rate limiting set up (through crowdsec) to prevent bots from scanning / crawling my server, should I be as worried?
in reply to ilega_dh

but if you take normal precautions (i.e. don’t run this next to your classified information storage)


oh yeah I'm pretty sure the majority of users bought a dedicated machine for Jellyfin

in reply to Scary le Poo

Who has the technical wherewithal to run Jellyfin but leaves access on the open web? I get that sharing is part of the point, but no one's putting their media collection on an open FTP server.

The level of convenience people expect without consequences is astounding. Going to be away for home for a few days? Load stuff onto an external SSD or SD card. Phoning home remotely makes no sense.

in reply to Pete Hahnloser

I know people are going to crucify me for this but just fucking use Plex at that point
in reply to LandedGentry

They jacked their prices, or are about to anyway. If you don't have a lifetime Plex pass then Plex might not be a viable option. My seedbox provider has been pushing people to Jellyfin for anyone without a Plex pass.
in reply to PolarisFx

“Jacked their prices” is a tad dramatic and if you use Plex regularly you’d be foolish not to just buy the lifetime subscription when they put it on sale for like $80 every year. The price change this year was modest, the first in many years, and only impacts specific features many people aren’t even impacted by it.
This entry was edited (9 hours ago)
in reply to LandedGentry

I thought I had a lifetime Plex pass, but turns out I was on yearly and the price went up $20/year, so I bought lifetime before the price went up. My whole family uses Plex, I couldn't handle setting up Jellyfin for everyone and their devices.
in reply to PolarisFx

Yeah if I was just serving myself I would’ve probably stuck with Jellyfin, but my wife and kids also use my server. Because of it we pay exactly $0 a month in subscriptions. Plex lifetime pass was a very easy decision to make.

If they do a complete heel turn tomorrow and fuck us all, I could simply shut it down. The money I’ve saved so far has been worth it.

in reply to Flax

I understand why you might find that useful but I do not think that is exactly the most important feature in the world to most people. I could also rattle off plenty of things Plex can do that Jellyfin can’t. I have used both and the fact of the matter is just am willing to take the trade offs for the simplicity of Plex. You do you!
in reply to ReversalHatchery

And I like that my wife and kids can jump on and access my server whenever they want from any device without fuss. Everyone has their priorities! I take my privacy pretty seriously but I can’t make it the number one consideration at the cost of everything else all the time. Plus, Jellyfin is a security risk if you don’t know what you’re doing. I’m pretty tech savvy but it definitely pushes my limit limits so I do not feel comfortable setting it up and constantly maintaining it.
This entry was edited (2 hours ago)
in reply to Pete Hahnloser

Friends, family using Jellyfin is the reason many have it directly available (and not behind VPN for example).
in reply to Pete Hahnloser

My Jellyfin server is behind Cloudflare with IP outside of my country banned.

I got Crowdsec set up on Cloudflare, Traefik and Debian directly.

I got Jellyfin up in a docker container behind Traefik, my router opens only 80 and 443 ports and direct them to Traefik.

Jellyfin has only access to my media files which are just downloaded movies and shows hardlinked by Sonarr/Radarr from my download folder.

It is publicly exposed to be able to watch it from anywhere, and share it to family and friends.

So what? They might access the movies, even delete them, I don't care, I'll just hardlink them back or re-download them. What harm can they do that would justify locking everything down?

in reply to Scary le Poo

Huh, I can't check the link right now... But if exposing Jellyfin to the Internet is not an option, then it is not ready to be shipped as the Plex replacement I have heard a lot here and on Reddit.
in reply to kratoz29

Agreed. I'm a bit disappointed that it's being touted as such. If you need a local LAN option, use VLC Player.
in reply to kratoz29

Do we even know that Plex is better? It's closed source and hasn't been audited afaik
in reply to Chastity2323

Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik


Yes... because you can take the raw request your browser makes... remove your auth cookie and replay the same request and it fails.

Closed source doesn't mean that it can't be tested for problems. Just means that you can't go to the code to understand why it's a problem. You can still see that the problem exists (or doesn't in this case).

Edit: I haven't tested every api endpoint myself... but for video files it doesn't work. It's not vulnerable to the same thing that JF is in that specific case.

This entry was edited (2 hours ago)
in reply to Chastity2323

It is if you have compared them together.

I haven't recently thought and I am a lifetime Plex pass user (we will see what lifetime truly means sooner or later) and I have still been unaffected by most of the changes Plex has done (watch together is the 1st valuable feature that I have lost), so if you can't expose Jellyfin then it is not better than Plex for me.

in reply to kratoz29

Put the instance behind another authentication point like a VPN or reverse proxy with SSO. That will prevent the wider Internet from accessing it without legitimate users being cut off. You should be doing this with any server you operate (like Plex), but definitely one that may have legal implications.
This entry was edited (3 hours ago)
in reply to t3rmit3

aaaand now you smart tv can't connect. none of them. the clients dont even support http basic auth creds put into the URL for some crazy reason.

for advanced HTTP-level authentication you would need to run a reverse proxy on the TV's network that would add the authentication info.
for the VPN idea you would need to tunnel the TV's network's internet connection at the router. or set up a gateway address in the TVs network settings that would do that. or use a reverse proxy here too so that it repeats the request to the real server.

but honestly, this is the real and only secure way anyway. I wouldn't be comfortable to expose jellyfin even if the devs are real experts. I mean vulns get discovered, in dotnet, jellyfin dependencies, linux filesystem, and reverse proxy, and honestly who has time to always tightly keep up to date with all that.

that's not to discount the seriousness of the issue though, it's a real shame that jellyfin is so much against security

in reply to t3rmit3

I am sorry, I don't think I follow, I am CGNATED anyway, so I need to use VPNs to access my server (if IPv6 is not available, for IPv4 I am experimenting with Tailscale funnels as of now).
in reply to Scary le Poo

I wouldn't say never, but in most cases, you're best served by sticking it behind wireguard- but this is also true of any service or tool you don't intend to make available to the greater internet
in reply to Scary le Poo

I think you can IP whitelist who can access it no? That should solve any problems

There is zero (0) chance of an attacker to know and then spoof address of your friend unless you have even bigger problems. Good filter should simply not respond to any packets making very existence of exploitable site undetectable.

This entry was edited (15 hours ago)
in reply to 𝓔𝓶𝓶𝓲𝓮

Does your friend have a static IP? Unlikely considering that you have to pay extra for a static IP.

Mark doesn't like this.

in reply to Scary le Poo

That depends on the ISP, there's still some out there that will give you one for free.

Technology reshared this.

in reply to Scary le Poo

We are lucky, we get two free. Technically they aren't true static, its tied to MAC of your modem, or your router(s) -- with ISP modem in bridge mode.
You can pay for true static, but I have probably had the same IP for 5 years, and same with the modem/routerbeforre this one.
in reply to 𝓔𝓶𝓶𝓲𝓮

Wrong use case, the expected one is friends and family watching stuff on your Jellyfin server from different homes, potentially through mobile, all with dynamic IPs
in reply to jherazob

Perfect use for allowlisting based on dynamic DNS hostnames.
in reply to unbuckled

is that a feature in Jellyfin? and since when do all ISP subscribers have names in DNS?
in reply to unbuckled

Possibly some ISP interference with the OpenVPN protocol. Apparently that can happen sometimes
in reply to Flax

You can always funnel all your VPN traffic through a more typical port, like 80, and there's very little anyone can do to distinguish between your traffic and typical web traffic.

If your ISP causes issues with inbound traffic to your home network, just add another link to the chain to include a cloud-hosted server, or host it all entirely in the cloud (if you find a trustworthy one with a reasonable cost).

in reply to Flax

wireguard has been going fine here for 5+ years. only problems were when that garbage raspberry crashed as it always does (but that's an issue with the hardware) and when the IP changes, but that's mitigated by dynamic DNS
in reply to Scary le Poo

I'm not sure who needs to hear this, but unless you work as a security engineer or in another security-focused tech field, you really shouldn't be exposing your homelab to the open internet anyway

Most people access their homelabs via VPN - i don't see anything here that's a problem for that use-case.

in reply to ocean

And I would hope those websites are extremely low-risk and not anywhere near essential infrastructure or data ;)
in reply to anarchiddy

I need to run a VPN already. Fine for desktop, but this isn't a solution for mobile (where you can't run two VPNs simultaneously)
in reply to Scary le Poo

Can someone ELI5 this for me? I have a jellyfin docker stack set up through dockstarter and managed through portainer. I also own a domain that uses cloudflare to access my Jellyfin server. Since everything is set up through docker, the containers volumes are globally set to only have access to my media storage. Assuming that my setup is insecure, wouldn't that just mean that "hackers" would only be able to stream free media from my server?
in reply to GiuseppeAndTheYeti

This entry was edited (7 hours ago)
in reply to

I think I understand now. Thank you! I will be changing my paths then. It's kind of a moot point since I'll change my paths anyway, but for the sake of my own curiosity, i have a follow up question. Feel free to disregard it if you don't feel like taking the time to answer.

Hypothetically, my docker setup only allows jellyfin to see /mnt/user as /storage. So jellyfin would report the path to Morbius as being:

/storage/hdd1/media/movies/Morbius_all_morbed_up.mkv

when in all actuality it would be:

/mnt/user/hdd1/media/movies/Morbius_all_morbed_up.mkv

My intuition tells me that the file path that jellyfin "sees" would be the security risk. So "/storage/hdd1/...." Is that correct?

in reply to GiuseppeAndTheYeti

Or you become part of a bonnet and attack your own government's military. Then you get some very angry knocks on your door and a black back over your face.

And, if you're brown, probably some electrodes on your genitals until you sign a written confession.

This entry was edited (52 minutes ago)
in reply to Scary le Poo

If my server is already open to everyone, what kind of potential attacks do i need to be worried a about? I dont keep personal files on my streaming server, its just videos, music and isos/roms. I dont restrict sign ups, so the idea of an unauthorized user doing something like download a video is a non issue for me really.

I do see where there could be problems for folks running jfin on the same server they keep private photos or for people who charge users for acess, but thats not me.

Am i missing something or is the main result of most of these that a "malicious" actor could dowload files jellyfin has access to without authentication?

in reply to HappyTimeHarry

With unrestricted signups, they can obtain their own account easily. With their own account they can enumerate all your other users.

If they have their own account they can just find your instance, make a login, collect all the proof they need that you're hosting content you don't own (illegally own) then serve you a court summons and ruin your life.

I wouldn't worry about the vulnerability in the link since your already wide open. But I wouldn't leave Jellyfin wide open either. Movie and TV studios are quite litigious.

I hope you're at least gatekeeping behind a vpn or something.

Edit: typo

This entry was edited (3 hours ago)
in reply to HappyTimeHarry

I guess the worst thing is that your server starts attacking the US military servers because you've become part of a botnet.

That happened to my friend one time when I installed Linux on his computer. He made the username and password the same 4-character word. Got a letter from the DoD.

I dont think they would be so forgiving these days. Especially if you're brown.

This entry was edited (57 minutes ago)
in reply to Scary le Poo

For those unaware, it's a good idea to be using a service like tailscale (self hosted=headscale if you don't want to make your login credentials tied to apple, google, or Microsoft). It's a VPN but a lot simpler to use.
in reply to easily3667

I dont know what that means.

Can I use that in addition to another VPN on mobile?

in reply to Scary le Poo

I remember when they were arguing that you don't need a VPN or proxy basic authentication in front of it because their team knows how to write secure code...
This entry was edited (3 hours ago)
in reply to ReversalHatchery

There's a bug (closed as won't fix) where proxy basic authentication breaks jellyfin. You can't use it.
in reply to Scary le Poo

PluginsController only requires user privileges for potentially sensitive actions
* Includes, but is not limited to: Listing all plugins on the server without being admin, changing plugin settings, listing plugin settings without being admin. This includes the possibility of retrieving LDAP access credentials without admin privileges.


Outch