[random_human_]

If you expose Jellyfin on 443, have HTTPS properly set up (which Caddy handles automatically), your admin password is not pswd1234 (or you straight up disable remote admin logins), and use a cheap .com domain rather than your IP--what is the actual attack surface in that case?

As far as I can remember that is more or less what is usually suggested by Jellyfin's devs, and I have yet to see something that convinces me about its inadequacy.

[Mashimo]

He claims there are known exploits. Though I also want to know if this is really true.

[tech234a]

https://github.com/jellyfin/jellyfin/issues/5415

[random_human_]

The absolute worst thing I can see in there is that an third party who somehow managed to get a link to one of your library items (either directly from you or from one of your users--or by spending the next decade bruteforcing it I guess) could stream said item: https://github.com/jellyfin/jellyfin/issues/5415#issuecommen...

Everything else looks to me like unimportant issues, that would provide someone who's already logged in as a user minor details about your server.

[theshrike79]

Nearly everyone uses the *arr stack with the Trash guides.

Which means that the paths are pretty damn uniform.

[random_human_]

Unless I am misunderstanding the discussion on GitHub, the attacker would still need to know the exact path where the file is saved, and the name of the file itself. Even then, all they can do is download the file from your device--which they could just torrent themselves for a fraction of the effort.

[theshrike79]

A DDoS is still a valid attack.

Very few consumer connections can manage, say, 100 clients downloading a massive video file simultaneously.