CVE-2025-64178 is a Server-Side Request Forgery (SSRF) vulnerability identified in the jon4hz jellysweep cleanup tool for the Jellyfin media server, specifically affecting versions 0.12.1 and below. The vulnerability resides in the /api/images/cache API endpoint, which is designed to download media poster images from URLs provided via a URL parameter. This parameter is directly passed to the underlying cache package responsible for fetching the image, without adequate validation or sanitization. As a result, an authenticated user can supply arbitrary URLs, causing the server to make HTTP requests to unintended locations. This can be exploited to access internal network resources that are otherwise inaccessible externally, potentially leading to information disclosure, internal network reconnaissance, or interaction with internal services. The API endpoint requires authentication, which limits exploitation to users with valid credentials, but no additional user interaction is necessary. The vulnerability has a CVSS 4.0 score of 8.9, indicating high severity due to its network attack vector, low complexity, and high impact on availability. The issue was publicly disclosed on November 6, 2025, and fixed in jellysweep version 0.13.0. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-918 (Server-Side Request Forgery).

For European organizations using jellysweep versions prior to 0.13.0, this SSRF vulnerability poses significant risks. Attackers with valid credentials can leverage the flaw to make the server perform unauthorized requests to internal systems, potentially bypassing firewall protections and accessing sensitive internal services such as databases, metadata servers, or administrative interfaces. This could lead to confidential data exposure, internal network mapping, or pivoting to further attacks. The impact on availability is also high, as malicious requests could overload internal services or cause denial-of-service conditions. Given that jellysweep is a cleanup tool for Jellyfin media servers, organizations using Jellyfin for media management in corporate or institutional environments may be at risk, especially if the API endpoint is exposed beyond trusted networks. The requirement for authentication reduces risk from external anonymous attackers but does not eliminate insider threats or compromised credentials. The lack of known exploits in the wild suggests limited active exploitation currently, but the high severity score warrants prompt remediation to prevent potential future attacks.

European organizations should immediately upgrade jellysweep to version 0.13.0 or later, where this SSRF vulnerability is fixed. Until upgrading is possible, restrict access to the /api/images/cache endpoint to trusted users and networks only, using network segmentation and firewall rules to limit exposure. Implement strict authentication and authorization controls to ensure only legitimate users can access the API. Monitor logs for unusual or unexpected requests to the endpoint that include suspicious URL parameters. Employ web application firewalls (WAFs) with SSRF detection capabilities to block malicious requests. Additionally, conduct internal network scans to identify any exposed internal services that could be targeted via SSRF and harden those services accordingly. Educate users about the risks of credential compromise to reduce insider threat potential. Finally, integrate jellysweep into a secure update management process to ensure timely application of future security patches.