Search criteria
1 vulnerability by jon4hz
CVE-2025-64178 (GCVE-0-2025-64178)
Vulnerability from cvelistv5 – Published: 2025-11-06 21:46 – Updated: 2025-11-07 14:59
VLAI?
Title
Jellysweep uses uncontrolled data in image cache API endpoint
Summary
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jon4hz | jellysweep |
Affected:
< 0.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T14:59:50.040884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:59:57.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellysweep",
"vendor": "jon4hz",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:46:58.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg"
},
{
"name": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101"
}
],
"source": {
"advisory": "GHSA-xc93-q32j-cpcg",
"discovery": "UNKNOWN"
},
"title": "Jellysweep uses uncontrolled data in image cache API endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64178",
"datePublished": "2025-11-06T21:46:58.994Z",
"dateReserved": "2025-10-28T21:07:16.439Z",
"dateUpdated": "2025-11-07T14:59:57.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}