CVE-2025-64178

Vulnerability Description

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

Related Weaknesses (CWE)

References

• https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d5
• https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg

FAQ

What is CVE-2025-64178?

CVE-2025-64178 is a documented vulnerability. Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly ...

How severe is CVE-2025-64178?

CVSS scoring is not yet available for CVE-2025-64178. Check NVD for updates.

Is there a patch for CVE-2025-64178?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.