Description

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

INFO

Published Date :

2025-11-06T21:46:58.994Z

Last Modified :

2025-11-06T21:46:58.994Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64178 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64178.

URL Resource
https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101 cve-icon cve-icon
https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability