CVE-2025-64178
📋 TL;DR
CVE-2025-64178 is a server-side request forgery (SSRF) vulnerability in Jellysweep, a cleanup tool for Jellyfin media servers. Authenticated users can exploit the /api/images/cache endpoint to make the server download arbitrary content from external URLs. This affects Jellysweep versions 0.12.1 and below.
💻 Affected Systems
- Jellysweep
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the server as a proxy to scan internal networks, access internal services, or download malicious content that could lead to further compromise.
Likely Case
Authenticated malicious users could exfiltrate data from internal services, perform port scanning, or abuse the server's network position.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to the server's network access scope.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.0
Vendor Advisory: https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg
Restart Required: Yes
Instructions:
1. Stop Jellysweep service. 2. Update to version 0.13.0 via package manager or manual installation. 3. Restart Jellysweep service.
🔧 Temporary Workarounds
Restrict network access
allLimit Jellysweep's network access to only necessary Jellyfin servers
Use firewall rules to restrict outbound connections from Jellysweep
Disable vulnerable endpoint
allBlock access to /api/images/cache endpoint
Configure reverse proxy or firewall to block requests to /api/images/cache
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for suspicious authenticated sessions
- Network segment Jellysweep to prevent it from accessing sensitive internal services
🔍 How to Verify
Check if Vulnerable:
Check Jellysweep version and compare to affected versions (0.12.1 and below)Check Version:
jellysweep --version or check package managerVerify Fix Applied:
Confirm version is 0.13.0 or higher and test that /api/images/cache endpoint no longer accepts arbitrary URLs📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connections from Jellysweep to unexpected IPs/domains
- Multiple requests to /api/images/cache with varying URL parameters
Network Indicators:
- Jellysweep server making outbound connections to non-Jellyfin services
- Unusual traffic patterns from Jellysweep to internal network segments
SIEM Query:
source="jellysweep" AND (url_path="/api/images/cache" OR dest_ip NOT IN (allowed_jellyfin_ips))