CVE

CVE-2025-64178

Jellysweep uses uncontrolled data in image cache API endpoint

CVE

CVE-2025-64178

Jellysweep uses uncontrolled data in image cache API endpoint

Impact

The /api/images/cache which is used to download media posters from the server accepted an url parameter, which was directly passed to the cache package and that downloaded the poster from this URL.

This URL parameter can be used to make the jellysweep server download arbitrary content.

The API endpoint can only be used by authenticated users.

Patches

Fixed in v0.13.0. The affected (and now fixed) library was also moved to internal/ because it wasn't meant to be imported.

References

https://github.com/jon4hz/jellysweep/security/code-scanning/28

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.9

4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg, https://nvd.nist.gov/vuln/detail/CVE-2025-64178, https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101, https://github.com/jon4hz/jellysweep

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00061%

EPSS Percentile

0.19385%

Introduced Version

Fix Available

0.13.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-64178

CVE-2025-64178

Impact

Patches

References

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly