CVE-2025-64178: Jellysweep uses uncontrolled data in image cache API endpoint

November 4, 2025 (updated November 7, 2025)

The /api/images/cache which is used to download media posters from the server accepted an url parameter, which was directly passed to the cache package and that downloaded the poster from this URL. This URL parameter can be used to make the jellysweep server download arbitrary content.

The API endpoint can only be used by authenticated users.

References

github.com/advisories/GHSA-xc93-q32j-cpcg
github.com/jon4hz/jellysweep
github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101
github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg
nvd.nist.gov/vuln/detail/CVE-2025-64178

Code Behaviors & Features

Detect and mitigate CVE-2025-64178 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →