Skip to content

MediaMTX

Media Servers

Ready-to-use, zero-dependency real-time media server and proxy to publish, read, record, playback and route video/audio streams over SRT, WebRTC, RTSP, RTMP, HLS, MPEG-TS, RTP.

Track releases GitHub Website
Go Latest v1.19.0 · 1d ago Security brief →

Features

  • Publish live streams via SRT, WebRTC, RTSP, RTMP, HLS, MPEG‑TS and more
  • Read streams from the server using multiple protocols (SRT, WebRTC, etc.) with automatic protocol conversion
  • Record streams to disk in fMP4 or MPEG‑TS format

Recent releases

View all 10 releases →
Review required
v1.19.0 New feature
Dependencies Auth

Media-over-QUIC, FLAC, general fixes

Open
Review required
v1.18.2 Bug fix
Breaking upgrade Dependencies

HLS init.mp4 regression fix

Open
v1.18.1 Security relevant
Security fixes
  • MTX_QUERY now URL‑encoded preventing code injection (GHSA issue #5707)
Notable features
  • Support for reading and writing KLV in HLS streams
  • hlsCDNSecret configuration to simplify CDN‑backed HLS serving
Full changelog

Fixes and improvements

General

  • prevent code injection in case of MTX_QUERY in hooks (https://github.com/bluenviron/mediamtx/issues/5707) When MTX_QUERY is used explicitly in hooks, for instance "curl http://something/?$MTX_QUERY", it can be used to inject arbitrary commands. MTX_QUERY is now url-encoded to prevent any abuse regardless of the configuration.
  • use temporary redirects instead of permanent redirects (https://github.com/bluenviron/mediamtx/issues/5710) this prevents unwanted caching.

HLS

  • prevent open redirect attacks (https://github.com/bluenviron/mediamtx/issues/5708)
  • support reading and writing KLV (https://github.com/bluenviron/mediamtx/issues/5604)
  • add hlsCDNSecret (https://github.com/bluenviron/mediamtx/issues/5716) this allows to serve HLS streams behind a CDN in a simplified way, compatible with the new HLS session system.
  • add public attribute to cache-control header (https://github.com/bluenviron/gohlslib/issues/349)
  • allow caching non-low-latency playlists (https://github.com/bluenviron/gohlslib/issues/350)

WebRTC

  • prevent open redirect attacks (https://github.com/bluenviron/mediamtx/issues/5708)

RPI Camera

  • Merge request->controls instead of overwriting (https://github.com/bluenviron/mediamtx-rpicamera/issues/97) libcamera 0.7.0 is more strict about changing controls; assignment is no longer allowed since https://github.com/raspberrypi/libcamera/commit/310cd8bc0756717cde97fe5b083926f6d6931f58 Instead, we use the merge call with overwrite.

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
View release on GitHub
v1.18.0 Breaking risk
Breaking changes
  • Deprecated and disabled the authJWTInHTTPQuery configuration option, removing support for JWTs in HTTP query parameters.
Security fixes
  • Disabled authJWTInHTTPQuery – resolves long‑standing security flaw allowing JWT injection via query strings.
Notable features
  • HLS track sessions via cookies or query parameters for session‑level logging, metrics, and API inspection.
  • Support serving HLS streams through a CDN.
Full changelog

New major features

HLS

  • track sessions (https://github.com/bluenviron/mediamtx/issues/962) (https://github.com/bluenviron/mediamtx/issues/5683) sessions are now tracked through cookies or query parameters. This provides the ability to inspect sessions through logs, metrics and API, allows more precise tracking of outbound bytes, decreases load on external HTTP authentication URLs since they are now called once per session and not once per request.
  • support serving streams with a CDN (https://github.com/bluenviron/mediamtx/issues/5696)

Fixes and improvements

General

  • improve listener labels (https://github.com/bluenviron/mediamtx/issues/5635) add a label after every "listener opened on :XXX" message that mentions protocols of every listener.
  • dump unencrypted TLS sessions (https://github.com/bluenviron/mediamtx/issues/5624) when dumpPackets is true, embed TLS master keys into the dump, in a format which is natively compatible with Wireshark.
  • use "token" as query parameter key to pass tokens (https://github.com/bluenviron/mediamtx/issues/5647) the legacy "jwt" query parameter key is still supported.
  • deprecate authJWTInHTTPQuery and disable JWTs in query parameters (https://github.com/bluenviron/mediamtx/issues/5648) This fixes a long standing security flaw. Even though it's a breaking change, few users should be impacted since this feature has been discouraged for some time.
  • expose token passed as query parameter to HTTP authentication too (https://github.com/bluenviron/mediamtx/issues/5649) this allows to parse tokens coming from RTSP and RTMP without additional effort.
  • playback: return errors as JSON (https://github.com/bluenviron/mediamtx/issues/5656) this is aligned with all other HTTP-based services.
  • prevent out-of-memory errors (https://github.com/bluenviron/mediamtx/issues/5674) impose a maximum size on body of incoming HTTP requests and responses.
  • metrics: improve performance (https://github.com/bluenviron/mediamtx/issues/5663) use string.Builder instead of string concatenation
  • metrics: add labels to the output (https://github.com/bluenviron/mediamtx/issues/5687) group metrics under visible, distinct labels.
  • metrics: fix filtering by type=rtmp_conns and type=rtmps_conns (https://github.com/bluenviron/mediamtx/issues/5689)
  • metrics: add readerType attribute to the path_readers metric (https://github.com/bluenviron/mediamtx/issues/5690) this allows to filter path readers by type.
  • metrics: use an enum for parsing metrics type (https://github.com/bluenviron/mediamtx/issues/5692)
  • metrics: fix race condition when reloading configuration (https://github.com/bluenviron/mediamtx/issues/5693)
  • docs: add scaling page (https://github.com/bluenviron/mediamtx/issues/5695)

API

  • sort path readers (https://github.com/bluenviron/mediamtx/issues/5691)

RTSP

  • client: fix RTSP-over-HTTP tunnel request target (https://github.com/bluenviron/gortsplib/issues/1041)
  • client: support Axis SRTP variant (https://github.com/bluenviron/gortsplib/issues/1033)
  • improve SDP parser compatibility with malformed connection information (https://github.com/bluenviron/gortsplib/issues/1025)
  • support parsing responses with no status message (https://github.com/bluenviron/gortsplib/issues/1043) (https://github.com/bluenviron/gortsplib/issues/1050)
  • client: don't block RTSP-over-HTTP tunnel startup on POST response (https://github.com/bluenviron/gortsplib/issues/1047)

HLS

  • return JSON with error message in case path conf is not available (https://github.com/bluenviron/mediamtx/issues/5655) this behavior is aligned with WebRTC one.
  • improve muxer performance (https://github.com/bluenviron/mediamtx/issues/5660) use a mutex instead of a channel to get current instance.
  • fix running linter when there are unstaged git changes (https://github.com/bluenviron/gohlslib/issues/336)
  • client: use redirected URL when reloading playlist (https://github.com/bluenviron/gohlslib/issues/340) this allows to store and use tokens and signed URLs.
  • client: support reading KLV (https://github.com/bluenviron/gohlslib/issues/337)
  • prevent out-of-memory errors (https://github.com/bluenviron/gohlslib/issues/343)
  • muxer: generate init segment once (https://github.com/bluenviron/gohlslib/issues/344) Previously, the init segment was regenerated in case of codec parameter changes, but changing the init segment has been proved to cause video and audio discontinuities on iOS. Now the init file contains starting parameters only and never changes during the stream lifetime.
  • client: increase size limit of segments and parts (https://github.com/bluenviron/gohlslib/issues/345)
  • return a custom error when body size limit is exceeded (https://github.com/bluenviron/gohlslib/issues/346)
  • muxer: store non-low-latency playlists and init files on disk (https://github.com/bluenviron/gohlslib/issues/348)

Dependencies

  • code.cloudfoundry.org/bytefmt updated from v0.67.0 to v0.69.0
  • github.com/alecthomas/kong updated from v1.14.0 to v1.15.0
  • github.com/bluenviron/gohlslib/v2 updated from v2.2.9 to v2.3.0
  • github.com/bluenviron/gortsplib/v5 updated from v5.5.1 to v5.5.2
  • github.com/go-git/go-git/v5 updated from v5.17.2 to v5.18.0
  • github.com/matthewhartstonge/argon2 updated from v1.4.6 to v1.5.2
  • github.com/pion/ice/v4 updated from v4.2.2 to v4.2.5
  • golang.org/x/crypto updated from v0.49.0 to v0.50.0
  • golang.org/x/sys updated from v0.42.0 to v0.43.0
  • golang.org/x/term updated from v0.41.0 to v0.42.0
  • github.com/pion/stun/v3 updated from v3.1.1 to v3.1.2
  • github.com/pion/turn/v4 removed
  • golang.org/x/net updated from v0.52.0 to v0.53.0
  • golang.org/x/text updated from v0.35.0 to v0.36.0
  • golang.org/x/time updated from v0.12.0 to v0.14.0
  • github.com/pion/turn/v5 v5.0.3 added
  • hls.js updated from v1.6.15 to v1.6.16

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
View release on GitHub
v1.17.1 Security relevant
Security fixes
  • Prevent directory traversal attacks by forbidding special characters that escape intended directories in recorder, playback server, and all HTTP‑based components
Notable features
  • Fill server name indication (SNI) for TLS connections in RTSP and RTMP clients
  • Implement AbortMessage support for RTMP
Full changelog

Fixes and improvements

General

  • prevent directory traversal attacks (https://github.com/bluenviron/mediamtx/issues/5602) Path names are used as part of paths in several components: in the recorder, in the playback server and in every HTTP-based component (WebRTC, HLS, API). Special characters that allow to escape from the intended directory are now forbidden in order to prevent directory traversal attacks.

RTSP

  • client: fill server name indication (SNI) of TLS connections (https://github.com/bluenviron/gortsplib/issues/1038)

RTMP

  • implement AbortMessage (https://github.com/bluenviron/mediamtx/issues/4673) (https://github.com/bluenviron/gortmplib/issues/59)
  • client: fill server name indication (SNI) of TLS connections (https://github.com/bluenviron/gortmplib/issues/63)

WebRTC

  • fix random absolute timestamps with Opus, G711 and LPCM (https://github.com/bluenviron/mediamtx/issues/5597) When rewriting audio RTP timestamps in WebRTC egress, NTP was derived using regenerated packet timestamps minus the incoming RTP base timestamp. That mixed timestamp domains and could shift absolute time by an arbitrary offset while still exposing mapping as available. Fix by using a consistent outgoing RTP domain in rewritten audio paths
  • strip TWCC extension of incoming RTP packets (https://github.com/bluenviron/mediamtx/issues/5146) (https://github.com/bluenviron/mediamtx/issues/5605) The TWCC extension is used as part of the WebRTC congestion control algorithm placed between the publisher and the server. If this extension is routed untouched from the server to readers, it messes with the congestion control algorithm present between the server and each reader. Remove it.

RPI Camera

  • restore Docker compatibility with armv6 devices (https://github.com/bluenviron/mediamtx/issues/5590) (https://github.com/bluenviron/mediamtx/issues/5595)
  • restore compatibility with armv6 devices (https://github.com/bluenviron/mediamtx/issues/5590) (https://github.com/bluenviron/mediamtx-rpicamera/issues/95)

Dependencies

  • github.com/bluenviron/gortmplib updated from v0.3.0 to v0.3.1
  • github.com/bluenviron/gortsplib/v5 updated from v5.5.0 to v5.5.1
  • github.com/gin-contrib/pprof updated from v1.5.3 to v1.5.4
  • github.com/go-git/go-git/v5 updated from v5.17.0 to v5.17.2
  • github.com/pion/ice/v4 updated from v4.2.1 to v4.2.2
  • github.com/pion/webrtc/v4 updated from v4.2.9 to v4.2.11
  • github.com/pion/sctp updated from v1.9.2 to v1.9.4
  • github.com/bluenviron/mediamtx-rpicamera updated from v2.5.4 to v2.5.5

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
18,945
Forks
2,238
Languages
Go JavaScript HTML
View on GitHub Homepage Documentation

Install & Platforms

Platforms
linux macos windows

Similar tools

MistServer
jellyfin
mediacms
mStream
octo-fiesta

Beta — feedback welcome: [email protected]