Arbitrary Content Download Flaw in Jellysweep Cleanup Tool for Jellyfin Media Server
CVE-2025-64178

8.9HIGH

Key Information:

Vendor: Jon4hz
Status: Jellysweep
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-64178?

Jellysweep, a cleanup tool for the Jellyfin media server, contains an arbitrary content download vulnerability in versions 0.12.1 and earlier. The flaw arises in the /api/images/cache endpoint, which improperly accepts a URL parameter directly used to fetch media posters from external sources. This misuse allows authenticated users to manipulate the server into downloading arbitrary content, posing significant risks to system integrity. The issue has been addressed in version 0.13.0, where proper validation measures have been implemented.

Affected Version(s)

jellysweep < 0.13.0

References

https://github.com/jon4hz/jellysweep/security/advisories/...

x_refsource_CONFIRM

https://github.com/jon4hz/jellysweep/commit/1746631251096...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Oct 28, 2025

JSON

Jon4hz

What is CVE-2025-64178?

Affected Version(s)

References

CVSS V4

Timeline