CVE-2025-64178
HIGHjellysweep < 0.13.0 - Authenticated Server-Side Request Forgery via Image Cache URL Parameter
Title source: llmDescription
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg
Scores
CVSS v4
8.9
EPSS
0.0026
EPSS Percentile
17.0%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
jon4hz/jellysweep
0 - 0.13.0Go
jon4hz/jellysweep
< 0.13.0
Published
Nov 06, 2025
Tracked Since
Feb 18, 2026