Plex warns users to update their Media Server immediately for an undisclosed critical flaw

Plex Inc. has issued urgent warnings to users of its Media Server software to immediately update their installations due to a recently discovered undisclosed security vulnerability. 

Plex Media Server is used by millions of users worldwide for organizing and streaming personal media collections. The software allows users to access their media libraries remotely, which means that a lot of Plex Media Servers are exposed on the Internet. 

The vulnerability, has not yet been assigned a CVE identifier but is apparently critical enough for the streaming media company to directly email users running vulnerable versions.

Update - The vulnerability is tracked as CVE-2025-34158 (CVSS score 10) and is an improper input validation vulnerability.

Plex stated in emails to affected users: "We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses."

Plex quietly released security updates four days before sending warning emails to users on Thursday, August 14, 2025. The company said: "You're receiving this notice because our information indicates that a Plex Media Server owned by your Plex account is running an older version of the server. We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so."

Users can download the patched version 1.42.1.10060 through their server's management interface or directly from Plex's official downloads page. Organizations and individuals running internet-accessible Plex servers should treat this as a critical urgent security update.