CVE-2025-64178
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jon4hz | jellysweep | 0.12.1 |
| jon4hz | jellysweep | 0.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Jellysweep versions 0.12.1 and below, where the /api/images/cache endpoint accepts a URL parameter that is directly passed to the cache package to download media posters. An authenticated user can exploit this by providing a URL that causes the server to download arbitrary content, potentially leading to unintended data retrieval or server misuse. This issue is fixed in version 0.13.0.
How can this vulnerability impact me? :
The vulnerability allows authenticated users to make the Jellysweep server download arbitrary content from URLs they specify. This could lead to unauthorized data access, server resource misuse, or potential exposure to malicious content, impacting the security and integrity of the server and its data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Jellysweep to version 0.13.0 or later, as this version contains the fix for the vulnerability. Additionally, ensure that only authenticated users have access to the /api/images/cache endpoint to reduce risk.