CVE-2025-24960
Published: 03 February 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2025-24960 is a path traversal vulnerability (CWE-22) in Jellystat, a free and open-source statistics application for the Jellyfin media server. In affected versions prior to 1.1.3, Jellystat directly incorporates user input into routing paths, allowing traversal beyond intended directories. The CVSS v3.1 base score is 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high severity due to potential impacts on confidentiality and integrity.
This vulnerability can be exploited by authenticated administrators with network access to the Jellystat instance. While most affected functionality is admin-only, limiting widespread abuse, the DELETE /files/:filename endpoint enables deletion of arbitrary files on the server, compromising data integrity and potentially exposing sensitive information through unauthorized access or manipulation.
The issue has been addressed in Jellystat version 1.1.3, and users are advised to upgrade immediately, as no workarounds exist. Additional details are available in the GitHub security advisory (GHSA-6x46-6w9f-ffv6) and the fixing pull request (#303).
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal vulnerability in the DELETE /files/:filename endpoint directly enables deletion of arbitrary files outside intended directories, mapping to File Deletion.