CVE-2021-29490— Unauthenticated GET requests through Remote Image endpoints

CVSS 5.8 · Medium EPSS 88.18% · P99 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-29490

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Unauthenticated GET requests through Remote Image endpoints

Source: NVD (National Vulnerability Database)

Vulnerability Description

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Jellyfin 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Jellyfin是一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品，可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin 10.7.3之前的版本存在代码问题漏洞，该漏洞可能会暴露内部和外部的HTTP服务器，或者其他通过HTTP GET 从Jellyfin服务器看到的资源。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
jellyfin	jellyfin	<= 10.7.2	-

II. Public POCs for CVE-2021-29490

#	POC Description	Source Link	Shenlong Link
1	Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29490.yaml	POC Details
2	None	https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Jellyfin%20RemoteImageController.cs%20SSRF%E6%BC%8F%E6%B4%9E%20CVE-2021-29490.md	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-29490

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: jellyfin

Same vendor: jellyfin

Same weakness: CWE-918

V. Comments for CVE-2021-29490

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-29490— Unauthenticated GET requests through Remote Image endpoints

I. Basic Information for CVE-2021-29490

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2021-29490

III. Intelligence Information for CVE-2021-29490

IV. Related Vulnerabilities

V. Comments for CVE-2021-29490

Leave a comment