CVE-2025-64178 HIGH

CVE-2025-64178: Jellysweep uses uncontrolled data in image cache API endpoint

Vendor Jon4Hz
Product jellysweep
Weakness CWE-918 · SSRF
Published November 6, 2025
Last update November 7, 2025
View on NVD All CVEs

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

What the vulnerability does

01Description

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

Key dates

02Disclosure timeline

November 6, 2025 CVE published
November 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-21887 OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature CVE-2022-1722 SSRF in editor's proxy via IPv6 link-local address in jgraph/drawio CVE-2024-3152 Privilege Escalation and Local File Inclusion in mintplex-labs/anything-llm CVE-2026-8034 Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion CVE-2026-33399 Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840