CVE-2025-64113

Withdrawn Advisory

This advisory has been withdrawn because it incorrectly listed MediaBrowser.Server.Core as vulnerable. CVE-2025-64113 affects Emby Server versions 4.9.1.80 and prior, and Emby Server Beta versions 4.9.2.6 and prior.

Original Description

Impact

This vulnerability affects all Emby Server versions - beta and stable up to the specified versions.

It allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level,).

Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.

Patches

Quick Fix

A quick fix will be rolled out via an update to one of the default-included Emby Server plugins.

This way is chosen because many users are updating their servers manually while plugin updates are typically configured to be applied automatically. This allows to get a patch deployed to a large amount of servers within a single day.

Server Patches

Patched versions for both, Emby Server stable and Emby Server beta are available now.

All Emby Server owners are strongly encouraged to apply those updates as soon as possible.

​

Workarounds

[!NOTE]

These workarounds are OBSOLETE now. Please update Emby Server instead!

As and immediate remedy, it is possible to set restricted file system permissions on the passwordreset.txt file in the configuration folder of Emby Server. If it doesn't exist, users can create the file themselves or just call the ForgotPassword API once, which will create the file.

On Windows, users can set DENY permissions for "Authenticated users" and on Linux, permissions can be set via sudo chmod 444 passwordreset.txt.

This will make the API request fail, which completely eliminates the vulnerability.