this post was submitted on 02 Apr 2025
215 points (100.0% liked)

Technology

38432 readers
479 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org
215
I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet (github.com)
submitted 1 day ago by Scary_le_Poo@beehaw.org to c/technology@beehaw.org
152 comments fedilink hide all child comments
 

Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...

(page 2) 50 comments
sorted by: hot top controversial new old
[–] HappyTimeHarry@lemm.ee 12 points 23 hours ago (6 children)

If my server is already open to everyone, what kind of potential attacks do i need to be worried a about? I dont keep personal files on my streaming server, its just videos, music and isos/roms. I dont restrict sign ups, so the idea of an unauthorized user doing something like download a video is a non issue for me really.

I do see where there could be problems for folks running jfin on the same server they keep private photos or for people who charge users for acess, but thats not me.

Am i missing something or is the main result of most of these that a "malicious" actor could dowload files jellyfin has access to without authentication?

load more comments (6 replies)
[–] GiuseppeAndTheYeti@midwest.social 10 points 1 day ago (4 children)

Can someone ELI5 this for me? I have a jellyfin docker stack set up through dockstarter and managed through portainer. I also own a domain that uses cloudflare to access my Jellyfin server. Since everything is set up through docker, the containers volumes are globally set to only have access to my media storage. Assuming that my setup is insecure, wouldn't that just mean that "hackers" would only be able to stream free media from my server?

[–] jagged_circle@feddit.nl 3 points 17 hours ago* (last edited 17 hours ago) (2 children)

Or you become part of a bonnet and attack your own government's military. Then you get some very angry knocks on your door and a black back over your face.

And, if you're brown, probably some electrodes on your genitals until you sign a written confession.

load more comments (2 replies)
load more comments (3 replies)
[–] kratoz29@lemm.ee 46 points 1 day ago (11 children)

Huh, I can't check the link right now... But if exposing Jellyfin to the Internet is not an option, then it is not ready to be shipped as the Plex replacement I have heard a lot here and on Reddit.

[–] Chastity2323@midwest.social 7 points 23 hours ago (2 children)

Do we even know that Plex is better? It's closed source and hasn't been audited afaik

load more comments (2 replies)
[–] p03locke@lemmy.dbzer0.com 5 points 1 day ago

Agreed. I'm a bit disappointed that it's being touted as such. If you need a local LAN option, use VLC Player.

load more comments (9 replies)
[–] troed@fedia.io 100 points 1 day ago (39 children)

It's a list from 2021 and as a cybersec researcher and Jellyfin user I didn't see anything that would make me say "do not expose Jellyfin to the Internet".

That's not to say there might be something not listed, or some exploit chain using parts of this list, but at least it's not something that has been abused over the last four years if so.

[–] fmstrat@lemmy.nowsci.com 2 points 15 hours ago (2 children)

Yea many of the linked issues are already closed. Why is this post not down-voted like crazy?

load more comments (2 replies)
[–] ilega_dh@feddit.nl 43 points 1 day ago* (last edited 1 day ago) (3 children)

Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.

Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)

Edit: lol don’t look at OPs post history, now I know where the fearmongering came from

[–] Saik0Shinigami@lemmy.saik0.com 8 points 1 day ago* (last edited 1 day ago) (1 children)

Source: R1 masters professor. Literally the person you would have needed to take the class from on the topic at my institution.

This is a problem simply because most paths and names will be similar due to *arr suites and docker mounts normalizing them to a standard that jellyfin wants to see. In the context of Sony's top 1000 movies, they can pre-compile the top 100 likely paths for the file (/movies, /mnt/movies, etc) then run the 100000 hash check through scripts against your instance. How long does it take to let a crawler collect http statuses on 100000 page loads? Now put that to a bot that gets jellyfin instances from a tool like shodan and add more hashes. If you flag, now onus is on you to prove you have license for content and they would have a case that you distributing (albeit weak) since your server was open to the public. This is child's play level abuse-able. Risking that something easy like this isn't being abused by Sony and others (you know... willing to install a rootkit on your computer types...) is a very silly stance to take.

The hash that's used to represent the path isn't salted or otherwise unique.

Edit: mobile typos.

[–] Dempf@lemmy.zip 2 points 18 hours ago (1 children)

If I have rate limiting set up (through crowdsec) to prevent bots from scanning / crawling my server, should I be as worried?

load more comments (1 replies)
[–] ReversalHatchery@beehaw.org 2 points 19 hours ago

but if you take normal precautions (i.e. don’t run this next to your classified information storage)

oh yeah I'm pretty sure the majority of users bought a dedicated machine for Jellyfin

[–] domi@lemmy.secnd.me 11 points 1 day ago

It's nice to read something sane in these threads.

[–] deadcade@lemmy.deadca.de 22 points 1 day ago

Fully agreed. There's some stuff in the list that could leak server info or metadata about available content to the public, but the rest seems to require some knowledge before being able to exploit it, such as user IDs.

That doesn't mean these aren't issues, but they're not "take your jellyfin down now" type issues either.

load more comments (36 replies)
[–] KingThrillgore@lemmy.ml 4 points 23 hours ago

Use a VPN

[–] tnsi@warhammer.social 13 points 1 day ago

@Scary_le_Poo I wouldn't say never, but in most cases, you're best served by sticking it behind wireguard- but this is also true of any service or tool you don't intend to make available to the greater internet

load more comments
view more: ‹ prev next ›