Derkington 14 Posted January 7 Posted January 7 Hello Emby Team, I came across the following external reports: https://nvd.nist.gov/vuln/detail/CVE-2025-64325 https://cybersecuritynews.com/critical-emby-server-vulnerability/ After reading these, I searched the Emby community forum and eventually found this single related post: https://emby.media/community/index.php?/topic/144874-critical-vulnerability-cve-2025-64113-allows-unauthenticated-admin-takeover/#comment-1493021 While I understand that the issue has since been addressed, I was surprised that I could not find a prominent, official announcement from Emby about this vulnerability. Given the severity of the issue and its high NIST rating, more visible communication would have been helpful to ensure users were aware of the risk and the remediation steps. I appreciate that limited initial communication may have helped provide time to investigate and address the issue once it became clear and a fix was being developed. However, even after remediation, I was unable to find a final official summary or post from Emby outlining the vulnerability and resolution. I also noticed that the fix was delivered via the plugin mechanism. While I appreciate the ability to deploy fixes quickly, I am curious whether this is the intended and documented approach for handling critical security issues, as this is not the first time it has been used in this way. Given how I discovered this issue, through third-party sources rather than Emby itself, it raised questions about how users are expected to stay informed, particularly if a mitigation path were not available or if users were unaware that action was required. More proactive communication, such as a dedicated security advisory or announcement, would provide reassurance and help users respond more confidently in situations like this. Cheers. 1
Tigga5 39 Posted January 7 Posted January 7 Yup, this follows the same pattern we’ve seen from Emby for years now: ignore the issue and hope it goes away before too many people notice. The devs need to stop treating this as a personal hobby project and start treating it like the paid product it is. Instead of treating security as a pillar of the software, it's treated like an inconvenience that gets in the way of Luke's personal vision for the app.
ebr 16169 Posted January 7 Posted January 7 2 hours ago, Derkington said: I came across the following external reports: https://nvd.nist.gov/vuln/detail/CVE-2025-64325 Hi. That CVE was filed by us and resides in our repo. https://github.com/EmbySupport/Emby.Security/security/advisories/ 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now