Jellysweep uses uncontrolled data in image cache API endpoint

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Description

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

AI Analysis

Uncontrolled data in image cache API endpoint allows authenticated users to download arbitrary content

Basic Information

ID CVE-2025-64178

Source GitHub_M

Published Nov 6, 2025 at 21:46

Affected Product

Vendor jon4hz

Product jellysweep

Version < 0.13.0

Affected Versions jon4hz jellysweep < 0.13.0

CWE Classification

CWE-918

AI Assessment

AI Score 8.9 / 10

AI Severity High

Vendor jon4hz

Product jellysweep

Version 0.12.1 and below

References

{
    "lastseen": "",
    "description": "Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.",
    "published": "2025-11-06T21:46:58.994Z",
    "modified": "2025-11-06T21:46:58.994Z",
    "type": "cve",
    "title": "Jellysweep uses uncontrolled data in image cache API endpoint",
    "source": "GitHub_M",
    "references": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg\nhttps://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101",
    "id": "CVE-2025-64178",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "jon4hz jellysweep < 0.13.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jellysweep",
    "version": "< 0.13.0",
    "vendor": "jon4hz",
    "ai_description": "Uncontrolled data in image cache API endpoint allows authenticated users to download arbitrary content",
    "ai_severity": "High",
    "ai_vendor": "jon4hz",
    "ai_product": "jellysweep",
    "ai_version": "0.12.1 and below",
    "ai_score": 8.9
}

Jellysweep uses uncontrolled data in image cache API endpoint_CVE-2025-64178