mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
[PR #15892] [CLOSED] [Security] Fix HIGH vulnerability: V-001 #14450
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/jellyfin/jellyfin/pull/15892
Author: @orbisai0security
Created: 12/30/2025
Status: ❌ Closed
Base:
master← Head:fix-v-001-jellyfin.server.implementations-cryptography-pbkdf2passwordhasher.cs📝 Commits (1)
1ee1501fix: resolve high vulnerability V-001📊 Changes
1 file changed (+7 additions, -1 deletions)
View changed files
📝
Emby.Server.Implementations/Cryptography/CryptographyProvider.cs(+7 -1)📄 Description
Security Fix
This PR addresses a HIGH severity vulnerability detected by our security scanner.
Security Impact Assessment
Evidence: Proof-of-Concept Exploitation Demo
⚠️ For Educational/Security Awareness Only
This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.
How This Vulnerability Can Be Exploited
The PBKDF2 password hashing in Jellyfin uses only 10,000 iterations with the deprecated SHA1 algorithm, making it vulnerable to offline cracking attacks if an attacker obtains the password hashes from the database. An attacker could use GPU-accelerated tools like Hashcat to brute-force or dictionary-attack these hashes efficiently, potentially recovering user passwords in hours or days depending on password complexity. This demonstrates the real-world exploitability in Jellyfin's context, where user credentials are stored in a database (e.g., SQLite or PostgreSQL) and could be exposed via SQL injection, misconfigured access, or other breaches.
The PBKDF2 password hashing in Jellyfin uses only 10,000 iterations with the deprecated SHA1 algorithm, making it vulnerable to offline cracking attacks if an attacker obtains the password hashes from the database. An attacker could use GPU-accelerated tools like Hashcat to brute-force or dictionary-attack these hashes efficiently, potentially recovering user passwords in hours or days depending on password complexity. This demonstrates the real-world exploitability in Jellyfin's context, where user credentials are stored in a database (e.g., SQLite or PostgreSQL) and could be exposed via SQL injection, misconfigured access, or other breaches.
Exploitation Impact Assessment
Vulnerability Details
V-001Jellyfin.Server.Implementations/Cryptography/Pbkdf2PasswordHasher.csChanges Made
This automated fix addresses the vulnerability by applying security best practices.
Files Modified
Emby.Server.Implementations/Cryptography/CryptographyProvider.csVerification
This fix has been automatically verified through:
🤖 This PR was automatically generated.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.