🚀 Jellyfin Server 10.11.7
We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
edit: to add something constructive to my snarky comment, what kind of attack surface are we talkin here? Multiple ports? Lots of separate services running? No authentication?
There has been a known “anyone can access your media without authentication” vulnerability for seven years and counting, and the Jellyfin devs have openly stated that they have no intentions of fixing it. Because fixing it would require completely divesting from the Enby branch that the entire program is built upon. And they never plan on refactoring that entire thing, so they never plan on fixing the vulnerabilities.
The “don’t expose it to the internet” people aren’t just screaming at clouds. Jellyfin is objectively insecure, and shouldn’t be exposed.
Exactly. And that’s honestly why I doubt it will ever truly contend with Plex. It’s fine for sharing with friends who can figure out how to connect via VPN, but it’ll never be robust enough to share with your tech-illiterate grandparents on the open internet. Plex wins handily in that regard, because their sign in process is basically the same as Netflix, HBO, Hulu, etc…
Plex has problems of its own, but (at least as of me writing this) it doesn’t have any major known security vulnerabilities. They had some level 10.0 vulnerability last year, but they followed standard CVE protocols and patched it before the vulnerability was actually released.
Sure, but being mostly secure by default isn’t one of them. One advantage of running a service that offers optional subscription services is that they can offer security features like built-in SSL and AAA that just work. Any average user can install it and have a reasonably secure service running. Hell, until a few months ago you didn’t even need to open a port to have remote access to your content, whether you paid or not. Now they’ve made that a paid feature though.
I’m talking average enough to see an article, or hear about it from a friend/coworker, then follow the insanely easy setup directions for Windows. I know plenty of people who aren’t really “computer people” but know enough to open a port because they had to to get a game working at some point or another. Those people probably wouldnt notice “hey this thing is going to http maybe i should rethink this…”
These are going to be the people who think it’s smart to just open up RDP and SSH to the wide web though…they shouldn’t be forwarding ports…they should use a VPN.
I had to explain to one of them why RDP is a bad idea lol. Thats kind of my point - average people tend to only know enough to be dangerous, not to do things safely. Or as Shakespeare said - "The fool doth think he is wise, but the wise man knows himself to be a fool.”
I think you’re missing the point - that’s neither simple nor easy for most people. I’m a network engineer and I don’t wanna deal with setting up and (being responsible for troubleshooting) a bunch of VPNs! Nevermind the additional power/CPU usage from the tunnels. My parents just got fiber and they don’t even have a public address (ipv4 or v6) which just adds another layer of headache. thanks west virginia…
I’d much rather deal with setting up a few VPN gateways which is trivial at most…than securing a public web service. I deal with that crap enough at work.
There are a lot less variables to contend with with a single VPN endpoint which undergoes considerably more security auditing than N public web services. Many of which I don’t have the time to review myself and mitigate if they decide to suck at coding.
Edit: I share my services with less than 5 households though.
Edit2: I’m not sure what public ipv4 or ipv6 has to do with this. My remote sites use starlink ipv4. I haven’t setup ipv6 on those internally at all. They all tunnel via wireguard to my homesite.
At my remote site it has little value. At my home I have IPv6 setup on Starlink as my secondary backup internet. I use Fiber as the primary that has a public IPv4 and IPv6.
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
Just a reminder that you should never expose Jellyfin to the internet
The worst part of enthusiast threads are the “I am very smart” takes like this
You objectively shouldn’t expose Jellyfin to the internet. It has a rather large attack surface and isn’t designed with security in mind.
Pretending everything is fine won’t solve the problem
Sounds like a great reason to use Plex instead!
edit: to add something constructive to my snarky comment, what kind of attack surface are we talkin here? Multiple ports? Lots of separate services running? No authentication?
There has been a known “anyone can access your media without authentication” vulnerability for seven years and counting, and the Jellyfin devs have openly stated that they have no intentions of fixing it. Because fixing it would require completely divesting from the Enby branch that the entire program is built upon. And they never plan on refactoring that entire thing, so they never plan on fixing the vulnerabilities.
The “don’t expose it to the internet” people aren’t just screaming at clouds. Jellyfin is objectively insecure, and shouldn’t be exposed.
Ahh bummer. It works so well as a home media server… kind of calls out for sharing.
Jeez, so it’s meant to be a literal home media server. Able, but not designed, to be used for sharing.
Exactly. And that’s honestly why I doubt it will ever truly contend with Plex. It’s fine for sharing with friends who can figure out how to connect via VPN, but it’ll never be robust enough to share with your tech-illiterate grandparents on the open internet. Plex wins handily in that regard, because their sign in process is basically the same as Netflix, HBO, Hulu, etc…
Plex has problems of its own, but (at least as of me writing this) it doesn’t have any major known security vulnerabilities. They had some level 10.0 vulnerability last year, but they followed standard CVE protocols and patched it before the vulnerability was actually released.
Plex has its own set of problems
Sure, but being mostly secure by default isn’t one of them. One advantage of running a service that offers optional subscription services is that they can offer security features like built-in SSL and AAA that just work. Any average user can install it and have a reasonably secure service running. Hell, until a few months ago you didn’t even need to open a port to have remote access to your content, whether you paid or not. Now they’ve made that a paid feature though.
yeah okay let me just connect grandma’s tv to a vpn.
edit: gas is $5/gal ya’ll, I’m not driving to a different state each time a new family member wants to watch something from my server!
There are plenty of ways around this
A cheap thin client minipc is only like 20-40 USD and would solve the problem overnight
I can set it up, and you can set it up, but for the average user?
The average user isn’t using Jellyfin
All you need is a little Linux knowledge in order to setup Netbird with Caddy
I’m talking average enough to see an article, or hear about it from a friend/coworker, then follow the insanely easy setup directions for Windows. I know plenty of people who aren’t really “computer people” but know enough to open a port because they had to to get a game working at some point or another. Those people probably wouldnt notice “hey this thing is going to http maybe i should rethink this…”
These are going to be the people who think it’s smart to just open up RDP and SSH to the wide web though…they shouldn’t be forwarding ports…they should use a VPN.
I had to explain to one of them why RDP is a bad idea lol. Thats kind of my point - average people tend to only know enough to be dangerous, not to do things safely. Or as Shakespeare said - "The fool doth think he is wise, but the wise man knows himself to be a fool.”
Yeah. This is why you don’t encourage normies to port forward…they make everyone a domain admin and open up RDP…
Setup a VPN gateway at Grandma’s house. Works fine for me.
I think you’re missing the point - that’s neither simple nor easy for most people. I’m a network engineer and I don’t wanna deal with setting up and (being responsible for troubleshooting) a bunch of VPNs! Nevermind the additional power/CPU usage from the tunnels. My parents just got fiber and they don’t even have a public address (ipv4 or v6) which just adds another layer of headache. thanks west virginia…
If you have the skills to setup a Jellyfin server you also have the skills to setup wireguard.
That’s a very specific use case.
They appear to offer a guided installation for windows users.
I’d much rather deal with setting up a few VPN gateways which is trivial at most…than securing a public web service. I deal with that crap enough at work.
There are a lot less variables to contend with with a single VPN endpoint which undergoes considerably more security auditing than N public web services. Many of which I don’t have the time to review myself and mitigate if they decide to suck at coding.
Edit: I share my services with less than 5 households though.
Edit2: I’m not sure what public ipv4 or ipv6 has to do with this. My remote sites use starlink ipv4. I haven’t setup ipv6 on those internally at all. They all tunnel via wireguard to my homesite.
When I set up wireguard it was just more complicated when one side didn’t have a public IP. Whyyyy can’t we adopt ipv6 already.
also fyi starlink has public ipv6 available if you DO wan’t to set it up. been hosting a minecraft server off a starlink connection lol.
At my remote site it has little value. At my home I have IPv6 setup on Starlink as my secondary backup internet. I use Fiber as the primary that has a public IPv4 and IPv6.
Could just use a VPS though I guess if you want.
Are you singling out Jellyfin for a particular reason? Or are also going to advise just never opening ports in general?
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
There is a new story every week in Steve Gibson’s “Security Now” podcast about why you should virtually never open ports. And if you do, you’d better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I’ve had Plex exposed (on a non-default port) for literally years and nothing ever happens.
Why NPMplus and not the default NPM?
Primarily for the CrowdSec integration (one less thing to set up manually)
https://www.virtualizationhowto.com/2025/09/nginx-proxy-manager-vs-npmplus-which-one-is-better-for-your-home-lab/
Why link the fork of a fork in your original response?
uhhh did i? https://github.com/ZoeyVid/NPMplus is the link I meant to post for npmplus. its a fork of npm.
Definitely.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
that’s fair, does it not have any kind of encryption by default?
Standard TLS, I think, but what else would you need?
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
Plex logins go through their login server so you’ll also have login throttling and probably other bot protections.
They also do some SSL shenanigans to get every user a unique, valid public certificate created during setup. https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
For the vast majority of users? Yes. They shouldn’t forward ports.
Setup a VPN gateway at Grandma’s house.
Jellyfin is particularly bad compared to other things. You still should avoid exposing stuff to the internet
Perhaps “behind” pangolin?