{"id":"CVE-2021-29490","details":"Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.","modified":"2026-04-10T04:32:00.416604Z","published":"2021-05-06T13:15:12.493Z","related":["GHSA-rgjw-4fwc-9v96"],"references":[{"type":"FIX","url":"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jellyfin/jellyfin","events":[{"introduced":"0"},{"fixed":"3566d21ad14f716530969fb4ea85641035e67f6f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"10.7.3"}]}}],"versions":["v10.0.0","v10.0.1","v10.0.2","v10.4.0","v10.5.0","v10.6.0","v10.7.0","v10.7.0-rc1","v10.7.0-rc2","v10.7.0-rc3","v10.7.0-rc4","v10.7.1","v10.7.2","v3.5.2-5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29490.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}