CVE-2025-64178

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101
https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Jellysweep es una herramienta de limpieza para el servidor de medios Jellyfin. En las versiones 0.12.1 e inferiores, /API/images/cache, utilizado para descargar pósteres de medios del servidor, aceptaba un parámetro URL que se pasaba directamente al paquete de caché, el cual descargaba el póster de esta URL. Este parámetro URL puede utilizarse para hacer que el servidor Jellysweep descargue contenido arbitrario. El endpoint de la API solo puede ser utilizado por usuarios autenticados. Este problema se corrige en la versión 0.13.0.

06 Nov 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-06 22:15

Updated : 2026-06-17 09:53

NVD link : CVE-2025-64178

Mitre link : CVE-2025-64178

CVE.ORG link : CVE-2025-64178

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-64178", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-64178", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-07T14:59:50.040884Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "jon4hz", "product": "jellysweep", "versions": [{"status": "affected", "version": "< 0.13.0"}]}]}], "published": "2025-11-06T22:15:44.193", "references": [{"url": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101", "source": "security-advisories@github.com"}, {"url": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0."}, {"lang": "es", "value": "Jellysweep es una herramienta de limpieza para el servidor de medios Jellyfin. En las versiones 0.12.1 e inferiores, /API/images/cache, utilizado para descargar p\u00f3steres de medios del servidor, aceptaba un par\u00e1metro URL que se pasaba directamente al paquete de cach\u00e9, el cual descargaba el p\u00f3ster de esta URL. Este par\u00e1metro URL puede utilizarse para hacer que el servidor Jellysweep descargue contenido arbitrario. El endpoint de la API solo puede ser utilizado por usuarios autenticados. Este problema se corrige en la versi\u00f3n 0.13.0."}], "lastModified": "2026-06-17T09:53:57.840", "sourceIdentifier": "security-advisories@github.com"}