Comment by random_human_

11 hours ago

If you expose Jellyfin on 443, have HTTPS properly set up (which Caddy handles automatically), your admin password is not pswd1234 (or you straight up disable remote admin logins), and use a cheap .com domain rather than your IP--what is the actual attack surface in that case?

As far as I can remember that is more or less what is usually suggested by Jellyfin's devs, and I have yet to see something that convinces me about its inadequacy.

3 comments

random_human_

Mashimo 10 hours ago

He claims there are known exploits. Though I also want to know if this is really true.

tech234a 10 hours ago
https://github.com/jellyfin/jellyfin/issues/5415
- random_human_ 8 hours ago
  
  The absolute worst thing I can see in there is that an third party who somehow managed to get a link to one of your library items (either directly from you or from one of your users--or by spending the next decade bruteforcing it I guess) could stream said item: https://github.com/jellyfin/jellyfin/issues/5415#issuecommen...
  Everything else looks to me like unimportant issues, that would provide someone who's already logged in as a user minor details about your server.