Search
Find a vulnerability
Search criteria
2 vulnerabilities found for jellysweep by jon4hz
CVE-2025-64178 (GCVE-0-2025-64178)
Vulnerability from nvd – Published: 2025-11-06 21:46 – Updated: 2025-11-07 14:59
VLAI
EPSS
VEX
Title
Jellysweep uses uncontrolled data in image cache API endpoint
Summary
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jon4hz/jellysweep/security/adv… | x_refsource_CONFIRM |
| https://github.com/jon4hz/jellysweep/commit/17466… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jon4hz | jellysweep |
Affected:
< 0.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T14:59:50.040884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:59:57.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellysweep",
"vendor": "jon4hz",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:46:58.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg"
},
{
"name": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101"
}
],
"source": {
"advisory": "GHSA-xc93-q32j-cpcg",
"discovery": "UNKNOWN"
},
"title": "Jellysweep uses uncontrolled data in image cache API endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64178",
"datePublished": "2025-11-06T21:46:58.994Z",
"dateReserved": "2025-10-28T21:07:16.439Z",
"dateUpdated": "2025-11-07T14:59:57.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64178 (GCVE-0-2025-64178)
Vulnerability from cvelistv5 – Published: 2025-11-06 21:46 – Updated: 2025-11-07 14:59
VLAI
EPSS
VEX
Title
Jellysweep uses uncontrolled data in image cache API endpoint
Summary
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jon4hz/jellysweep/security/adv… | x_refsource_CONFIRM |
| https://github.com/jon4hz/jellysweep/commit/17466… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jon4hz | jellysweep |
Affected:
< 0.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T14:59:50.040884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:59:57.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellysweep",
"vendor": "jon4hz",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:46:58.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg"
},
{
"name": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101"
}
],
"source": {
"advisory": "GHSA-xc93-q32j-cpcg",
"discovery": "UNKNOWN"
},
"title": "Jellysweep uses uncontrolled data in image cache API endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64178",
"datePublished": "2025-11-06T21:46:58.994Z",
"dateReserved": "2025-10-28T21:07:16.439Z",
"dateUpdated": "2025-11-07T14:59:57.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}