CVE-2021-21402

HIGH EXPLOITED NUCLEI

Jellyfin < 10.7.1 - Unauthenticated Arbitrary File Read via Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-21402 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including jiaocoll, givemefivw, somatrasss. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-21402, an arbitrary file read vulnerability in Jellyfin via a path traversal attack. It sends crafted HTTP requests to retrieve sensitive files (e.g., jellyfin.db) by abusing the `/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/` endpoint.

Description

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Exploits (3)

nomisec WORKING POC 1 stars
by jiaocoll · infoleak
https://github.com/jiaocoll/CVE-2021-21402-Jellyfin

This PoC exploits CVE-2021-21402, an arbitrary file read vulnerability in Jellyfin via a path traversal attack. It sends crafted HTTP requests to retrieve sensitive files (e.g., jellyfin.db) by abusing the `/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/` endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Jellyfin (versions prior to fix for CVE-2021-21402)
No auth needed
Prerequisites: Network access to the Jellyfin server · Target server running a vulnerable version of Jellyfin
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by givemefivw · poc
https://github.com/givemefivw/CVE-2021-21402

This repository contains a functional exploit script for CVE-2021-21402, a Jellyfin arbitrary file read vulnerability. The script uses a path traversal technique to read the 'win.ini' file via a crafted GET request.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Jellyfin
No auth needed
Prerequisites: Target server running vulnerable Jellyfin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by somatrasss · poc
https://github.com/somatrasss/CVE-2021-21402

The repository contains a functional Python script that exploits CVE-2021-21402, an arbitrary file read vulnerability in Jellyfin versions prior to 10.7.1. The exploit constructs specific paths to read sensitive files like jellyfin.db and win.ini by leveraging directory traversal via encoded backslashes.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Jellyfin < 10.7.1
No auth needed
Prerequisites: Target Jellyfin server exposed to the internet or accessible network · Python 3 environment with requests library
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Jellyfin <10.7.0 - Local File Inclusion
MEDIUMVERIFIEDby dwisiswant0
Shodan: http.html:"Jellyfin" || http.html:"jellyfin" || http.title:"jellyfin"
FOFA: title="Jellyfin" || body="http://jellyfin.media" || title="jellyfin" || body="jellyfin" || title="jellyfin" || body="http://jellyfin.media"

References (3)

Core 3

Scores

CVSS v3 7.7
EPSS 0.9079
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

VulnCheck KEV 2023-11-13
CWE
CWE-22
Status published
Products (1)
jellyfin/jellyfin < 10.7.1
Published Mar 23, 2021
Tracked Since Feb 18, 2026