[Issue]: Jellyfin binds to all interfaces when using any loopback address other than 127.0.0.1 or [::1] #4978

New Issue

Closed

opened 2026-02-07 01:21:10 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-07 01:21:10 +03:00

Owner

Copy Link

Originally created by @lucasmz-dev on GitHub (Jul 19, 2023).

Please describe your bug

The title is very self-explanatory, it's pretty much it. If you use any other loopback address in 127.0.0.0/8, like 127.0.0.2 even, Jellyfin seems to believe it's not a valid IP or something, instead, it defaults to binding to every interface.

This caused a security problem for me, I use port 80 and 443, and because it was binding to every interface and IP it saw, it also binded to a bunch of public IPv6 addresses, this usually wouldn't be that big of an issue, however my router is kind of crap and does not have a stateful firewall, and since I trusted Jellyfin with firewall rules, it opened those ports directly to the open web; anyone pasting my IP on their browser would directly get into Jellyfin's page.

I use a reverse proxy because it has a lot of benefits, and I need to host other stuff in the same IP on the web, so I set Jellyfin to use 127.0.1.1, but didn't realize until weeks, maybe a month later what was going on.

Jellyfin Version

10.8.z

if other:

No response

Environment

- OS: Windows 11
- Linux Kernel: none
- Virtualization: none ?
- Clients: Not applicable
- Browser: Not applicable
- FFmpeg Version: Not applicable
- Playback Method: Not applicable
- Hardware Acceleration: Not applicable
- GPU Model: Not applicable
- Plugins: Open Subtitles, Session Cleaner, Skip Intro
- Reverse Proxy: Caddy
- Base URL: 
- Networking: Host (I think?)
- Storage: Not applicable

Jellyfin logs

[2023-07-19 00:42:29.455 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Defined LAN addresses : "[XXXX:XXXX:XXXX:XXXX::/64]"
[2023-07-19 00:42:29.456 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Defined LAN exclusions : "[]"
[2023-07-19 00:42:29.458 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using LAN addresses: "[XXXX:XXXX:XXXX:XXXX::/64]"
[2023-07-19 00:42:29.465 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using bind addresses: "[]"
[2023-07-19 00:42:29.466 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using bind exclusions: "[]"

### FFmpeg logs

_No response_

### Please attach any browser or client logs here

_No response_

### Please attach any screenshots here

_No response_

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

Originally created by @lucasmz-dev on GitHub (Jul 19, 2023). ### Please describe your bug The title is very self-explanatory, it's pretty much it. If you use any other loopback address in 127.0.0.0/8, like 127.0.0.2 even, Jellyfin seems to believe it's not a valid IP or something, instead, it defaults to binding to every interface. This caused a security problem for me, I use port 80 and 443, and because it was binding to every interface and IP it saw, it also binded to a bunch of public IPv6 addresses, this usually wouldn't be that big of an issue, however my router is kind of crap and does not have a stateful firewall, and since I trusted Jellyfin with firewall rules, it opened those ports directly to the open web; anyone pasting my IP on their browser would directly get into Jellyfin's page. I use a reverse proxy because it has a lot of benefits, and I need to host other stuff in the same IP on the web, so I set Jellyfin to use 127.0.1.1, but didn't realize until weeks, maybe a month later what was going on. ### Jellyfin Version 10.8.z ### if other: _No response_ ### Environment ```markdown - OS: Windows 11 - Linux Kernel: none - Virtualization: none ? - Clients: Not applicable - Browser: Not applicable - FFmpeg Version: Not applicable - Playback Method: Not applicable - Hardware Acceleration: Not applicable - GPU Model: Not applicable - Plugins: Open Subtitles, Session Cleaner, Skip Intro - Reverse Proxy: Caddy - Base URL: - Networking: Host (I think?) - Storage: Not applicable ``` ### Jellyfin logs ```shell [2023-07-19 00:42:29.455 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Defined LAN addresses : "[XXXX:XXXX:XXXX:XXXX::/64]" [2023-07-19 00:42:29.456 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Defined LAN exclusions : "[]" [2023-07-19 00:42:29.458 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using LAN addresses: "[XXXX:XXXX:XXXX:XXXX::/64]" [2023-07-19 00:42:29.465 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using bind addresses: "[]" [2023-07-19 00:42:29.466 -03:00] [INF] [1] Jellyfin.Networking.Manager.NetworkManager: Using bind exclusions: "[]" ``` ``` ### FFmpeg logs _No response_ ### Please attach any browser or client logs here _No response_ ### Please attach any screenshots here _No response_ ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

OVERLORD added the bug label 2026-02-07 01:21:10 +03:00

OVERLORD closed this issue 2026-02-07 01:21:11 +03:00

OVERLORD commented 2026-02-07 01:21:12 +03:00

Author

Owner

Copy Link

@cvium commented on GitHub (Jul 20, 2023):

Duplicate of #6272

@cvium commented on GitHub (Jul 20, 2023): Duplicate of #6272

OVERLORD referenced this issue 2026-02-07 06:18:42 +03:00

[PR #4978] [MERGED] Fixes for multiple proxies #10349

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

release-10.11.z

renovate/skiasharp-monorepo

JPVenson-patch-1

renovate/morestachio-5.x

release-10.9.z

openapi-cache

release-10.10.z

explicit-load

explicit-load-v2

feature/entity-framework

only-count-folder-item

fix/ci-workflow-refactor

release-10.8.z

release-10.7.z

EraYaN-add-management-interface

release-10.6.z

release-10.5.z

release-10.4.z

release-10.3.z

release-10.2.z

release-10.1.0

v10.11.6

v10.11.5

v10.11.4

v10.11.3

v10.11.2

v10.11.1

v10.11.0

v10.11.0-rc9

v10.11.0-rc8

v10.11.0-rc7

v10.11.0-rc6

v10.11.0-rc5

v10.11.0-rc4

v10.11.0-rc3

v10.11.0-rc2

v10.11.0-rc1

v10.10.7

v10.10.6

v10.10.5

v10.10.4

v10.10.3

v10.10.2

v10.10.1

v10.10.0

v10.9.11

v10.9.10

v10.9.9

v10.9.8

v10.9.7

v10.9.6

v10.9.5

v10.9.4

v10.9.3

v10.9.2

v10.9.1

v10.9.0

v10.8.13

v10.8.12

v10.8.11

v10.8.10

v10.8.9

v10.8.8

v10.8.7

v10.8.6

v10.8.5

v10.8.4

v10.8.3

v10.8.2

v10.8.1

v10.8.0

v10.8.0-beta3

v10.8.0-beta2

v10.8.0-beta1

v10.8.0-alpha5

v10.8.0-alpha4

v10.8.0-alpha3

v10.8.0-alpha2

v10.8.0-alpha1

v10.7.7

v10.7.6

v10.7.5

v10.7.4

v10.7.3

v10.7.2

v10.7.1

v10.7.0

v10.7.0-rc4

v10.7.0-rc3

v10.7.0-rc2

v10.7.0-rc1

v10.6.4

v10.6.3

v10.6.2

v10.6.1

v10.6.0

v10.5.5

v10.5.4

v10.5.3

v10.5.2

v10.5.1

v10.5.0

v10.4.3

v10.4.2

v10.4.1

v10.4.0

v10.3.7

v10.3.6

v10.3.5

v10.3.4

v10.3.3

v10.3.2

v10.3.1

v10.3.0

v10.3.0-rc2

v10.3.0-rc1

v10.2.2

v10.2.1

v10.2.0

v10.1.0

v10.0.1

v10.0.0

v10.0.2

v3.5.2-5

Labels

Clear labels

EFjellyfin.db

area:database

awaiting-feedback

backend

blocked

breaking change: web api

bug

build

ci

confirmed

discussion needed

dotnet future

downstream

duplicate

enhancement

feature

future

github-actions

good first issue

hdr

help wanted

invalid

investigation

librarydb

live-tv

lyrics

media playback

music

needs testing

nuget

performance

platform

pull-request

Mirrored from GitHub Pull Request

question

regression

release critical

requires-web

roadmap

security

security

stale

support

syncplay

ui & ux

upstream

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#4978