You can’t throw shade on Jellyfin, leave plex out of the discussion and then claim to run neither and essentially not caring…
Why participate at all with this argument??
Yeah I should’ve probably emphasised that Plex isn’t free of security vulnerabilities either, but I didn’t because I never even considered running it on my server, given the insane price.
Why participate with this argument? I was hoping to be proven wrong on the claim that jellyfin is insecure.
I was hoping to be proven wrong on the claim that jellyfin is insecure.
The constant argument being parotted (IMO a bit extra overblown) that you can read files by knowing the file path and being able to access the stream urls without authentication.
So if I know /data/media/movie/A Super Secret Movie [2026] (not unlikely due to assumed default paths with docker installations)
and https://jellyfin.example.local/
I can supposedly guess that the URL is https://jellyfin.example.local/video/source=?1029rifos0xomsoc93 and access the stream.
Is it an issue? Yes, you are bypassing active authentication
What is the actual security problem? You can be ddosed by being streames to death? Oh no, what will I do /s
If anyone else can give a more grave exampe why it’s worse than the above example: Please do. I don’t see the issue besides bypassing authentication.
You can’t throw shade on Jellyfin, leave plex out of the discussion and then claim to run neither and essentially not caring…
Why participate at all with this argument??
Yeah I should’ve probably emphasised that Plex isn’t free of security vulnerabilities either, but I didn’t because I never even considered running it on my server, given the insane price.
Why participate with this argument? I was hoping to be proven wrong on the claim that jellyfin is insecure.
It’s impossible to prove a negative, that there are no vulnerabilities.
The constant argument being parotted (IMO a bit extra overblown) that you can read files by knowing the file path and being able to access the stream urls without authentication.
So if I know
/data/media/movie/A Super Secret Movie [2026](not unlikely due to assumed default paths with docker installations)and
https://jellyfin.example.local/I can supposedly guess that the URL is
https://jellyfin.example.local/video/source=?1029rifos0xomsoc93and access the stream.Is it an issue? Yes, you are bypassing active authentication
What is the actual security problem? You can be ddosed by being streames to death? Oh no, what will I do /s
If anyone else can give a more grave exampe why it’s worse than the above example: Please do. I don’t see the issue besides bypassing authentication.
That’s one of the ones we know about. Consider the ones that might exist that haven’t been found yet.
Literally the same can be said about Plex.