CVE-2025-64178 is a Server-Side Request Forgery (SSRF) vulnerability identified in the jon4hz jellysweep cleanup tool for the Jellyfin media server, affecting versions 0.12.1 and earlier. The vulnerability resides in the /api/images/cache API endpoint, which is designed to download media poster images from URLs provided via a URL parameter. This parameter is passed directly to the underlying cache package responsible for fetching the images, without proper validation or sanitization. As a result, an authenticated user can supply arbitrary URLs, causing the server to initiate HTTP requests to potentially malicious or internal network resources. SSRF vulnerabilities like this can be leveraged to bypass firewall restrictions, access internal services, perform port scanning, or exfiltrate sensitive data by making the server act as a proxy. The API endpoint requires authentication, which limits exploitation to users with valid credentials, but no additional user interaction is necessary. The vulnerability has a CVSS 4.0 score of 8.9 (high severity), reflecting its potential impact on confidentiality and integrity due to unauthorized internal resource access. The flaw was publicly disclosed on November 6, 2025, and fixed in jellysweep version 0.13.0. There are no known exploits in the wild at this time, but the vulnerability poses a significant risk if left unpatched, especially in environments where jellysweep is deployed alongside sensitive internal services.

For European organizations, this SSRF vulnerability could have serious consequences. Attackers with valid credentials could exploit the flaw to make the jellysweep server perform unauthorized requests to internal network resources, potentially accessing sensitive data or internal APIs not exposed externally. This could lead to data breaches, unauthorized information disclosure, or lateral movement within the network. In media server environments, where jellysweep is used to manage and clean up media content, attackers might leverage SSRF to interact with internal infrastructure components, such as databases or administrative interfaces, increasing the risk of further compromise. The requirement for authentication reduces the attack surface but does not eliminate risk, especially in organizations with many users or weak credential management. Given the popularity of Jellyfin and its tools in European home and small business media server setups, the vulnerability could also impact less hardened environments, increasing the likelihood of exploitation. The absence of known exploits currently provides a window for proactive patching and mitigation.

European organizations should immediately upgrade jellysweep to version 0.13.0 or later, where this SSRF vulnerability is fixed. Until upgrading is possible, restrict access to the /api/images/cache endpoint to trusted users only and monitor authenticated user activity for suspicious URL parameters. Implement network-level controls to limit the jellysweep server's ability to make outbound HTTP requests to untrusted or internal IP ranges, using firewall rules or egress filtering. Employ web application firewalls (WAFs) that can detect and block SSRF patterns, especially requests containing suspicious URL parameters. Conduct regular audits of user accounts with access to jellysweep to ensure only authorized personnel have credentials. Additionally, consider isolating the jellysweep service in a segmented network zone with minimal access to sensitive internal resources to reduce potential impact. Logging and alerting on unusual outbound requests from the jellysweep server can help detect exploitation attempts early.