What is CVE-2021-29490?

The Jellyfin media system has a medium-severity vulnerability allowing unauthenticated Server-Side Request Forgery (SSRF) attacks. Organizations should address this vulnerability promptly to mitigate potential risks.

What is the severity of CVE-2021-29490?

CVE-2021-29490 has a severity rating of MEDIUM with a CVSS base score of 5.8.

CVE-2021-29490 | Medium Vulnerability in Jellyfin

Jellyfin, a free software media system, is affected by an unauthenticated Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2021-29490. This vulnerability allows attackers to exploit the imageUrl parameter, potentially exposing both internal and external HTTP servers or resources accessible via HTTP `GET` requests from the Jellyfin server. The vulnerability affects all Jellyfin versions prior to 10.7.3, which has been patched. Organizations using affected versions should prioritize remediation by updating to the latest version.

The CVSS score for this vulnerability is 5.8, indicating a medium severity level. Although this vulnerability does not directly compromise integrity or availability, it poses a risk by exposing sensitive internal services to unauthorized access. Organizations should assess their exposure and take corrective action to mitigate this risk.

As of now, there are no known exploits or public proof of concepts available for this vulnerability, which may reduce immediate risk. However, organizations should not underestimate the potential for exploitation, especially given the high exploitability score indicated.

Organizations should prioritize patching immediately to protect their systems. It is also advisable to implement the suggested workaround of disabling external access to the API endpoints or limiting access to known-friendly IPs until the patch can be applied.

Vulnerability Details

The vulnerability allows for unauthenticated SSRF attacks. It has been classified under CWE-918, indicating a potential for information exposure. The vulnerability was published on May 6, 2021, and is part of the Jellyfin media system, which is widely used for media streaming.

Technical Analysis

The root cause of this vulnerability stems from inadequate validation of user-supplied input in the imageUrl parameter. This allows attackers to issue unauthorized requests to internal services, potentially exposing sensitive data. The attack vector is classified as network-based, requiring no authentication or user interaction, which elevates the risk.

Risk & Impact Analysis

The real-world risk associated with CVE-2021-29490 includes the potential for unauthorized access to internal services, which could lead to data breaches or further exploitation within the network. Organizations should assess the blast radius of this vulnerability, especially if sensitive data is handled by the Jellyfin server. Given the CVSS score and the vulnerability's characteristics, it is critical to address this issue as part of the organization's patch management cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of Jellyfin prior to 10.7.3 are affected by this vulnerability. Organizations are encouraged to upgrade to version 10.7.3 or later to mitigate the risk.

Mitigation & Remediation

To remediate this issue, organizations should upgrade to Jellyfin version 10.7.3 or later. If immediate patching is not feasible, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image`, and `/Images/Remote` via a reverse proxy. Organizations should also limit access to these endpoints to known-friendly IP addresses.

Detection Guidance

Monitoring for unusual HTTP requests to the affected endpoints can help detect attempts to exploit this vulnerability. Additionally, review logs for any unauthorized access attempts that may indicate exploitation.

AppSecure Threat Intelligence Insight

CVE-2021-29490 highlights the importance of securing API endpoints to prevent unauthorized access. As organizations increasingly rely on media systems like Jellyfin, the potential for SSRF vulnerabilities to expose internal resources becomes a significant concern. Regular security assessments, including penetration testing, are essential for identifying and mitigating such vulnerabilities. Organizations should consider implementing comprehensive security measures to protect against similar threats in the future.

penetration testing services to enhance their security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2021-29490: Medium Vulnerability in Jellyfin