CVE-2021-25827: 
Homebrew vulnerability analysis and mitigation

Emby Server versions prior to 4.7.12.0 contained a critical authentication bypass vulnerability (CVE-2021-25827). The vulnerability was discovered in 2021 and allowed attackers to bypass login authentication by manipulating the X-Forwarded-For header with local IP addresses. The issue affected Emby Server's local network authentication feature and was officially patched in version 4.7.12.0 (NVD, GitHub Advisory).

The vulnerability exploited Emby Server's local/non-local network determination mechanism which affected account login requirements. By spoofing the X-Forwarded-For header with local IP addresses (e.g., 192.168.1.1 or 127.0.0.1), attackers could bypass the IP whitelist feature and authentication controls. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity with network attack vector, low complexity, and no required privileges or user interaction (NVD).

The vulnerability potentially allowed unauthorized administrative access to Emby Server systems, particularly affecting servers that were publicly accessible and where administrators hadn't properly configured account login settings. Attackers could potentially view user account lists, including accounts with no passwords configured, and gain unauthorized system access (GitHub Advisory).

The vulnerability was patched in Emby Server version 4.7.12.0 by preventing local network addresses from being specified in x-forwarded-for and x-real-ip headers. For pre-patch versions, recommended mitigations include configuring all administrative accounts (and preferably all accounts) to have passwords assigned and setting the Local network sign in mode to 'Require a password on the local network' (GitHub Advisory).