High severityNVD Advisory· Published Apr 24, 2023· Updated Feb 12, 2025
Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
CVE-2023-30626
Description
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Jellyfin.ControllerNuGet | >= 10.8.0, < 10.8.10 | 10.8.10 |
Affected products
1Patches
182ad2633fdfbMerge pull request from GHSA-9p5f-5x8v-x65m
1 file changed · +5 −0
MediaBrowser.Controller/ClientEvent/ClientEventLogger.cs+5 −0 modified@@ -23,6 +23,11 @@ public async Task<string> WriteDocumentAsync(string clientName, string clientVer { var fileName = $"upload_{clientName}_{clientVersion}_{DateTime.UtcNow:yyyyMMddHHmmss}_{Guid.NewGuid():N}.log"; var logFilePath = Path.Combine(_applicationPaths.LogDirectoryPath, fileName); + if (!Path.GetFullPath(logFilePath).StartsWith(_applicationPaths.LogDirectoryPath, StringComparison.Ordinal)) + { + throw new ArgumentException("Path resolved to filename not in log directory"); + } + await using var fileStream = new FileStream(logFilePath, FileMode.CreateNew, FileAccess.Write, FileShare.None); await fileContents.CopyToAsync(fileStream).ConfigureAwait(false); return fileName;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-9p5f-5x8v-x65mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30626ghsaADVISORY
- github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pqghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.csghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/pull/5918ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/releases/tag/v10.8.10ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.