CVE-2025-24960 – Jellystat Path Traversal Vulnerability in Jellyfin Statistics App
The following table lists the changes that have been made to the CVE-2025-24960 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability’s severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Feb. 03, 2025
Action Type Old Value New Value Added Description Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. Added CVSS V3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N Added CWE CWE-22 Added Reference https://cwe.mitre.org/data/definitions/22.html Added Reference https://github.com/CyferShepard/Jellystat/pull/303 Added Reference https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6×46-6w9f-ffv6