keraattin/CVE-2026-35031
GitHub: keraattin/CVE-2026-35031
针对 Jellyfin 媒体服务器的路径遍历至 RCE 漏洞,提供检测、利用与修复验证的综合研究工具。
Stars: 0 | Forks: 0
# CVE-2026-35031:Jellyfin 字幕上传路径遍历至 RCE
[](https://nvd.nist.gov/vuln/detail/CVE-2026-35031)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-35031)
[](https://cwe.mitre.org/data/definitions/22.html)
[](https://jellyfin.org)
[](https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m)
## TL;DR
Jellyfin 媒体服务器中存在关键路径遍历漏洞,允许具有“上传字幕”权限的认证用户将文件上传到磁盘上的任意位置。通过利用字幕上传端点中未经验证的 Format 字段,攻击者可以写入文件到敏感位置、提取敏感数据、升级权限,并最终通过 LD_PRELOAD 注入以 root 权限执行任意代码。
- **CVSS 分数:** 9.9(严重)
- **受影响版本:** Jellyfin < 10.11.7
- **修复版本:** Jellyfin 10.11.7+
- **需要认证:** 是(具有字幕上传权限的非管理员用户)
- **远程代码执行:** 是,以 root 身份
- **利用复杂度:** 低
## 目录
1. [快速要点](#quick-facts)
2. [什么是 Jellyfin?](#what-is-jellyfin)
3. [漏洞深度分析](#vulnerability-deep-dive)
- [根本原因分析](#root-cause-analysis)
- [攻击链分解](#attack-chain-breakdown)
- [LD_PRELOAD exploitation](#ldpreload-exploitation)
4. [影响分析](#impact-analysis)
5. [受影响版本](#affected-versions)
6. [检测](#detection)
- [Python 扫描器](#python-scanner)
- [Nmap NSE 脚本](#nmap-nse-script)
7. [妥协指标](#indicators-of-compromise)
8. [修复措施](#remediation)
9. [参考资料](#references)
10. [作者](#author)
## 快速要点
| 属性 | 值 |
|----------|-------|
| **CVE ID** | CVE-2026-35031 |
| **CVSS 分数** | 9.9(严重) |
| **CWE** | CWE-22:路径遍历(Improper Limitation of a Pathname to a Restricted Directory) |
| **受影响产品** | Jellyfin 媒体服务器 |
| **受影响版本** | < 10.11.7 |
| **修复版本** | 10.11.7 及更高版本 |
| **漏洞类型** | 路径遍历 + 任意文件写入 + RCE |
| **需要认证** | 是(具有字幕上传权限的非管理员用户) |
| **所需权限** | “上传字幕”权限 |
| **默认端口** | 8096/TCP |
| **GitHub 建议** | GHSA-9p5f-5x8v-x65m |
| **补丁状态** | 已发布并可用 |
| **公开利用** | 是 |
## 什么是 Jellyfin?
Jellyfin 是一个免费且开源的媒体服务器,旨在帮助您管理和流式传输您的个人媒体收藏。它提供了类似于商业媒体服务器的功能,但具有完整的源代码透明度和社区控制。
### 主要特性
- 自托管媒体流(音乐、电影、电视节目)
- 多用户支持,带粒度权限控制
- 字幕管理与同步
- 通过 HTTP/HTTPS 访问的基于 Web 的界面
- 跨平台部署(Linux、Windows、macOS)
- 对各种媒体格式和流协议的支持
### 网络架构
```
Jellyfin Media Server (Port 8096)
/ | \
/ | \
Web UI REST API Media Streams
(Browser) (Authenticated) (Subtitle Upload)
|
/System/Info/Public (unauthenticated)
/Videos/{itemId}/Subtitles (vulnerable)
/Library/Collections (admin)
Client Devices > Network > Jellyfin Server > Database + Storage
|
/var/lib/jellyfin/
/etc/ld.so.preload (writable via vulnerability)
```
## 漏洞深度分析
### 根本原因分析
该漏洞存在于字幕上传端点(`/Videos/{itemId}/Subtitles`)中,该端点接受文件上传并将其存储在磁盘上。关键缺陷在于对 Format 字段参数验证不足。
#### 漏洞代码模式
端点在处理字幕上传时未对 Format 字段进行适当验证或清理:
```
POST /Videos/{itemId}/Subtitles HTTP/1.1
Content-Type: multipart/form-data
[Binary subtitle data]
Format: /../../../etc/ld.so.preload
Language: en
```
Format 参数本应指定字幕格式(srt、vtt、ass 等),但却被当作文件路径的一部分来处理:
```
Base Path: /var/lib/jellyfin/subtitles/
User Input: /../../../etc/ld.so.preload
Result: /var/lib/jellyfin/subtitles/../../../etc/ld.so.preload
Resolved: /etc/ld.so.preload (via path traversal)
```
### 攻击链分解
该漏洞通过组合多个弱点来实现以 root 身份执行远程代码:
```
Step 1: Subtitle Upload with Path Traversal
POST /Videos/{itemId}/Subtitles
Format: /../../../etc/ld.so.preload
|
v
Step 2: Arbitrary File Write
Write attacker-controlled data to /etc/ld.so.preload
|
v
Step 3: File Read via .strm Files
Create .strm files pointing to sensitive paths
Extract database contents and credentials
|
v
Step 4: Database Extraction
Access /jellyfin/jellyfin.db via .strm
Extract admin user hashes
|
v
Step 5: Admin Privilege Escalation
Reset admin password or create new admin account
|
v
Step 6: RCE via LD_PRELOAD Injection
LD_PRELOAD=/path/to/malicious.so java
Arbitrary code execution as root
```
### 路径遍历机制
```
Input Validation Failure:
Format Field Validation:
Expected: srt | vtt | ass | ssa | sub | subrip
Actual: /../../../etc/ld.so.preload
Result: NO VALIDATION > PATH TRAVERSAL ALLOWED
File Write Operation:
String Concatenation: "/subtitles/" + user_format + ".srt"
|
NO CANONICALIZATION: Path component not resolved before write
NO WHITELIST: Format values not restricted
NO BOUNDS CHECK: ".." sequences not filtered
|
v
Final Path: /etc/ld.so.preload (EXPLOITED)
```
### LD_PRELOAD 漏洞利用
LD_PRELOAD 技术是在 Linux 系统上进行权限提升和代码执行的强大方法:
```
LD_PRELOAD Injection Flow:
1. Attacker writes malicious .so (shared object) to /etc/ld.so.preload
/etc/ld.so.preload contents:
/path/to/attacker.so
2. Java process starts (Jellyfin runs on Java):
kernel > execve("java", ...) > glibc initialization
|
v
Check /etc/ld.so.preload
|
v
Load attacker.so FIRST
|
v
Execute attacker code
(BEFORE Java main())
3. Code Execution Context:
Process Owner: root (Jellyfin typically runs as root)
Permissions: Full system access
Timing: Before application initialization
Detection: Minimal (malicious code runs early)
4. Attacker Capabilities:
> Create reverse shell with full root privileges
> Extract sensitive data before application starts
> Modify Java application behavior
> Persist via cron jobs or systemd services
> Establish C2 communication
```
#### 为什么 LD_PRELOAD 可用于权限提升
```
User Level Access > Path Traversal > Write /etc/ld.so.preload
|
v (Next process execution)
|
Kernel reads /etc/ld.so.preload > Loads attacker .so
|
v
Malicious code executes in root context
|
v
Full system compromise
```
## 影响分析
### 机密性
**严重** - 完整的信息泄露
- 数据库提取:管理员凭据、用户密码、API 密钥
- 字幕文件和媒体元数据泄露
- 配置文件访问,包含敏感数据
- 系统信息收集以进行进一步利用
### 完整性
**严重** - 系统级文件修改
- 任意文件写入磁盘任意位置
- 应用程序二进制文件修改
- 系统配置篡改
- 数据库损坏或操纵
### 可用性
**严重** - 服务中断和拒绝
- 通过恶意 .so 文件导致系统关机或崩溃
- 磁盘空间因大文件写入而耗尽
- 进程终止或资源耗尽
- 服务完全不可用
### 受影响组件
- Jellyfin 媒体服务器进程(以 root 身份运行)
- 操作系统内核和库
- 存储的媒体和元数据
- 用户认证系统
- 链接到 glibc 的系统级进程
### 业务影响
- **数据泄露:** 所有存储的凭据和用户数据被泄露
- **服务中断:** Jellyfin 及可能的其他服务不可用
- **横向移动:** 被攻破的系统成为网络攻击的跳板
- **合规违规:** 若 PII 泄露,将违反 GDPR、CCPA、HIPAA
- **供应链风险:** 如果 Jellyfin 提供共享或企业级媒体服务
## 受影响版本
| 版本 | 状态 | 备注 |
|---------|--------|-------|
| < 10.8.0 | 脆弱 | 原始漏洞存在 |
| 10.8.0 - 10.11.6 | 脆弱 | 路径遍历和 RCE 可能 |
| 10.11.7+ | 已修复 | 正确验证 Format 字段 |
| 10.12.0+ | 已修复 | 最新版本,包含安全修复 |
### 版本检测
可通过检查 `/System/Info/Public` 端点的版本字符串来检测该漏洞:
```
GET /System/Info/Public HTTP/1.1
Host: jellyfin-server:8096
Response:
{
"ServerName": "MyJellyfin",
"Version": "10.10.3", < Vulnerable
"ProductName": "Jellyfin",
"StartupWizardCompleted": true
}
```
## 检测
### Python 扫描器
`CVE-2026-35031_Jellyfin_RCE_detector.py` 脚本提供自动化漏洞检测。
#### 安装与依赖
```
pip install requests urllib3
```
#### 用法
```
python CVE-2026-35031_Jellyfin_RCE_detector.py -t 10.0.0.5:8096
python CVE-2026-35031_Jellyfin_RCE_detector.py -t http://10.0.0.0/24
python CVE-2026-35031_Jellyfin_RCE_detector.py -t targets.txt -o results.json
```
#### 命令行选项
```
-t, --target HOST[:PORT] or CIDR or FILE
Single target, IP range, or file with targets
-p, --port PORT Custom port (default: 8096)
--timeout SECONDS Connection timeout (default: 10)
-o, --output FILE Save results to JSON file
-v, --verbose Enable verbose logging
--no-ssl-verify Disable SSL certificate verification
```
#### 示例输出
```
[*] CVE-2026-35031 Jellyfin RCE Detection Scanner
[*] Target: http://10.0.0.5:8096
[*] Scan Time: 2026-04-15T12:00:00Z
[*] Detection method: /System/Info/Public version check
[*] Vulnerable: Jellyfin < 10.11.7
======================================================================
Target: http://10.0.0.5:8096
Scan Time: 2026-04-15T12:00:00Z
Risk Level: CRITICAL
======================================================================
Is Jellyfin: YES
Jellyfin Version: 10.10.3
Server Name: MediaServer
Operating System: Linux
Subtitle Endpoint: Accessible
Vulnerable: YES
*** VULNERABLE: Path traversal in subtitle upload ***
*** Chains to arbitrary file write and RCE as root via ld.so.preload ***
*** Upgrade to Jellyfin 10.11.7 immediately ***
======================================================================
Summary:
Total Targets: 1
Vulnerable: 1
Patched: 0
Unknown: 0
======================================================================
```
#### 检测逻辑
扫描器执行以下检查:
1. **服务检测:** 连接到目标端口并检查 HTTP 标头
2. **Jellyfin 验证:** 查询 `/System/Info/Public` 端点
3. **版本提取:** 解析 JSON 响应中的 `Version` 字段
4. **漏洞评估:** 将版本与补丁版本(10.11.7)比较
5. **端点验证:** 确认字幕上传端点存在
6. **风险计算:** 根据版本确定 CVSS 影响
### Nmap NSE 脚本
`CVE-2026-35031_Jellyfin_RCEse` 脚本提供与 Nmap 集成的漏洞扫描。
#### 安装
```
# 复制到 Nmap 脚本目录
sudo cp CVE-2026-35031_Jellyfin_RCE.nse /usr/share/nmap/scripts/
# 更新 Nmap 数据库
sudo nmap --script-updatedb
```
#### 用法
```
# 基础扫描
nmap -p 8096 --script CVE-2026-35031_Jellyfin_RCE 10.0.0.5
# 带服务检测的全面扫描
nmap -sV -p 8096 --script CVE-2026-35031_Jellyfin_RCE 10.0.0.5
# 扫描整个子网
nmap -sV -p 8096 --script CVE-2026-35031_Jellyfin_RCE 10.0.0.0/24
# 带时序的激进扫描
nmap -sV -p- --script CVE-2026-35031_Jellyfin_RCE -T4 10.0.0.5
# 导出结果为 XML
nmap -sV -p 8096 --script CVE-2026-35031_Jellyfin_RCE -oX results.xml 10.0.0.5
```
#### 示例输出
```
PORT STATE SERVICE VERSION
8096/tcp open http Jellyfin Media Server 10.10.3
| CVE-2026-35031_Jellyfin_RCE:
| VULNERABLE:
| Jellyfin Subtitle Path Traversal to RCE (CVE-2026-35031)
| State: VULNERABLE
| Risk level: CRITICAL
| CVSS Score: 9.9
| Jellyfin Version: 10.10.3
| Fixed Version: 10.11.7
| Description:
| Jellyfin 10.10.3 is vulnerable to CVE-2026-35031. The subtitle
| upload endpoint (/Videos/{itemId}/Subtitles) does not validate
| the Format field, allowing path traversal and arbitrary file write.
| This chains into remote code execution as root via LD_PRELOAD.
| Vulnerability Chain:
| 1. POST /Videos/{itemId}/Subtitles with Format=/../../../etc/ld.so.preload
| 2. Arbitrary file write to /etc/ld.so.preload
| 3. Database extraction via .strm files
| 4. Admin privilege escalation
| 5. RCE as root via LD_PRELOAD injection
| Affected Endpoint: /Videos/{itemId}/Subtitles
| Authentication Required: YES (non-admin user)
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2026-35031
| https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m
|_ https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
```
#### 脚本参数
```
# 自定义超时(慢网络)
nmap --script CVE-2026-35031_Jellyfin_RCE --script-args timeout=30 10.0.0.5
# 调试模式用于故障排除
nmap --script CVE-2026-35031_Jellyfin_RCE -d 10.0.0.5
# 激进版本检测
nmap -sV --version-intensity 9 --script CVE-2026-35031_Jellyfin_RCE 10.0.0.5
```
## 妥协指标
### 日志指标
**Jellyfin 服务器日志**(`/var/log/jellyfin/jellyfin.log`)
```
[ERR] Error processing subtitle upload: Invalid path characters detected
[ERR] Exception in subtitle handling: DirectoryNotFoundException
[ERR] Unauthorized file system access attempt
[WARN] Unusual subtitle format detected: /../../../
[ERR] Security violation: Path traversal attempt blocked
```
**系统日志**(`/var/log/syslog` 或 `/var/log/messages`)
```
subtitle upload process: segmentation fault (core dumped)
kernel: [security] Attempted to load from LD_PRELOAD: /etc/ld.so.preload
ld.so.preload: permission denied or file corrupted
Java process crashed after LD_PRELOAD initialization
Unexpected behavior from root-level Java process
```
### 文件系统指标
**已修改的系统文件**
```
/etc/ld.so.preload - Should not contain any paths if not configured
/lib/x86_64-linux-gnu/ - Look for suspicious .so files created recently
/var/lib/jellyfin/subtitles - Check for files outside normal naming
/etc/passwd - Verify no unauthorized access or modification
/var/lib/jellyfin/db - Database timestamps may indicate extraction
```
**字幕目录中的可疑文件路径**
```
/../../../etc/ld.so.preload
/../../../root/.ssh/authorized_keys
/../../../var/lib/jellyfin/jellyfin.db
../../../proc/self/environ
```
### 网络指标
**可疑的 HTTP 请求**
```
POST /Videos/[0-9]+/Subtitles
- Format parameter contains: /.. or ..\ patterns
- Format parameter contains absolute paths starting with /
- Format parameter does not match known subtitle formats
Encoded Payloads:
%2e%2e%2f (URL encoded ../)
..%252f (Double encoded ../)
....// (Bypass patterns)
```
**Jellyfin 进程的传出连接**
```
Reverse shells to external IPs
Connections to known C2 infrastructure
DNS requests to anomalous domains
Sudden spike in network traffic after failed subtitle upload
```
### 进程指标
**Jellyfin 进程异常**
```
java process executing system commands
java process spawning shell processes (/bin/bash, /bin/sh)
java process opening connections to unusual ports
java process reading system files like /etc/shadow
Unusual CPU or memory usage spikes
Child processes with different UID than parent
```
### 数据库指标
**Jellyfin 数据库更改**(`jellyfin.db`)
```
New admin user created outside normal workflow
Admin password changed without admin action
API keys/tokens created unexpectedly
Unusual activity in audit logs
```
## 修复措施
### 紧急操作(优先级:严重)
1. **立即升级 Jellyfin**
# Docker 部署
docker pull jellyfin/jellyfin:latest
docker-compose down
docker-compose up -d
# 软件包管理器(Ubuntu/Debian)
sudo apt-get update
sudo apt-get install --only-upgrade jellyfin
# 软件包管理器(Fedora/RHEL)
sudo dnf upgrade jellyfin
2. **停止 Jellyfin 服务**
sudo systemctl stop jellyfin
3. **检查是否被利用**
# 检查 ld.so.preload 是否被修改
ls -la /etc/ld.so.preload
cat /etc/ld.so.preload
# 检查字幕目录是否存在可疑文件
find /var/lib/jellyfin/subtitles -type f -newer /proc -ls
# 检查 Jellyfin 数据目录
find /var/lib/jellyfin -type f -newermt "2026-04-14" -ls
### 短期缓解措施(优先级:高)
1. **限制字幕上传权限**
Jellyfin Web UI > 设置 > 用户
禁用所有非管理员用户的“上传字幕”权限
检查所有拥有该权限的用户
2. **网络隔离**
# 仅允许受信任网络访问 Jellyfin
sudo ufw allow from 192.168.1.0/24 to any port 8096
sudo ufw deny from any to any port 8096
3. **文件系统权限**
# 确保 Jellyfin 以最小权限运行
sudo usermod -s /usr/sbin/nologin jellyfin
# 限制 ld.so.preload 权限
sudo chmod 644 /etc/ld.so.preload
sudo chmod 644 /etc/ld.so.conf
# 为 Jellyfin 目录设置适当权限
sudo chown -R jellyfin:jellyfin /var/lib/jellyfin
sudo chmod 750 /var/lib/jellyfin
4. **监控利用尝试**
# 监控字幕上传端点日志
tail -f /var/log/jellyfin/jellyfin.log | grep -i subtitle
# 监控系统日志中的 ld.so.preload 更改
auditctl -w /etc/ld.so.preload -p wa -k ld_preload_changes
### 长期加固措施(优先级:中)
1. **实施 Web 应用防火墙(WAF)**
阻止包含以下内容的请求:
- 路径遍历模式:../ ..\ ..\
- 可疑文件路径:/etc/ /root/ /proc/
- 编码变体:%2e%2e%2f
2. **启用安全模块**
# AppArmor(Ubuntu/Debian)
sudo aa-enforce /etc/apparmor.d/usr.bin.java
# SELinux(Fedora/RHEL)
sudo semanage fcontext -a -t jellyfin_home_t "/var/lib/jellyfin(/.*)?"
sudo restorecon -R /var/lib/jellyfin
3. **以非 root 用户运行 Jellyfin**
# 如果不存在则创建专用用户
sudo useradd -r -s /usr/sbin/nologin jellyfin
# 更新 systemd 服务
sudo sed -i 's/User=.*/User=jellyfin/' /etc/systemd/system/jellyfin.service
sudo systemctl daemon-reload
sudo systemctl restart jellyfin
4. **实施定期备份**
# 自动每日备份
sudo crontab -e
# 0 2 * * * /usr/local/bin/jellyfin-backup.sh
# 验证备份完整性
tar -tzf /backup/jellyfin-$(date +%Y%m%d).tar.gz > /dev/null
5. **启用审计日志**
# 记录对敏感位置的文件访问
auditctl -w /etc/ld.so.preload -p wa -k ld_preload_audit
auditctl -w /var/lib/jellyfin -p wa -k jellyfin_audit
# 监控 Jellyfin 进程的执行
auditctl -a always,exit -F exe=/usr/bin/java -F arch=b64 -S execve -k jellyfin_exec
### 验证步骤
```
# 1. 升级后验证 Jellyfin 版本
curl -s http://localhost:8096/System/Info/Public | jq .Version
# 2. 确认无未经授权的 ld.so.preload 条目
cat /etc/ld.so.preload | wc -l # Should be 0 or contain only legitimate entries
# 3. 检查 Jellyfin 进程权限
ps aux | grep jellyfin | grep -v grep
# 4. 验证子网连接限制
sudo ufw status
# 5. 使用非管理员用户测试字幕上传(应正常工作)
# 尝试上传合法的 .srt 文件并确认其存储正确
```
## 参考资料
### 官方来源
- **NVD 条目:** https://nvd.nist.gov/vuln/detail/CVE-2026-35031
- **GitHub 建议:** https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m
- **Jellyfin 发布版本 v10.11.7:** https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
- **Jellyfin 文档:** https://docs.jellyfin.org
### 相关漏洞与研究
- CWE-22:路径遍历 - https://cwe.mitre.org/data/definitions/22.html
- LD_PRELOAD exploitation:https://www.gnu.org/software/libc/manual/html_node/Dynamic-Linker.html
- Java 进程权限提升模式
- 字幕文件格式规范(RFC 标准)
### 安全工具与资源
- Nmap:https://nmap.org
- Metasploit 框架:https://www.metasploit.com
- OWASP 路径遍历指南:https://owasp.org/www-community/attacks/Path_Traversal
## 作者
**漏洞发现与文档编写者:**
**Kerem Oruc** (@keraattin)
- GitHub:https://github.com/keraattin
- Twitter/X:https://twitter.com/keraattin
### 贡献
如果您有改进建议或检测工具,请提交拉取请求或打开问题。
**免责声明:** 本文档仅供教育和授权安全测试用途。未经授权访问计算机系统是非法的。请始终在执行安全评估前获得适当授权。
**最后更新:** 2026-04-15 | **状态:** 已发布
标签:Critical, CSV导出, CVE-2026-35031, CVSS 9.9, Jellyfin, JS文件枚举, LD_PRELOAD, PoC, RCE, Subtitle Upload, 任意文件写入, 动态链接库预加载, 反取证, 媒体服务器, 字幕上传, 安全修复, 安全评估, 应用安全, 文件上传, 暴力破解, 权限绕过, 检测工具, 漏洞分析, 编程工具, 认证绕过, 请求拦截, 路径探测, 路径遍历, 路径遍历漏洞, 远程代码执行, 逆向工具