Publish GHSA-xc93-q32j-cpcg

advisory-database[bot] · advisory-database[bot] · commit 2ebb211ed5ed · 2025-11-04T14:32:38.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-xc93-q32j-cpcg/GHSA-xc93-q32j-cpcg.json b/advisories/github-reviewed/2025/11/GHSA-xc93-q32j-cpcg/GHSA-xc93-q32j-cpcg.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xc93-q32j-cpcg",
+  "modified": "2025-11-04T14:30:22Z",
+  "published": "2025-11-04T14:30:22Z",
+  "aliases": [
+    "CVE-2025-64178"
+  ],
+  "summary": "Jellysweep uses uncontrolled data in image cache API endpoint",
+  "details": "### Impact\nThe `/api/images/cache` which is used to download media posters from the server accepted an `url` parameter, which was directly passed to the cache package and that downloaded the poster from this URL.\nThis URL parameter can be used to make the jellysweep server download arbitrary content.\n\nThe API endpoint can only be used by authenticated users.\n\n### Patches\n\nFixed in `v0.13.0`. The affected (and now fixed) library was also moved to `internal/` because it wasn't meant to be imported.\n\n\n### References\nhttps://github.com/jon4hz/jellysweep/security/code-scanning/28",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/jon4hz/jellysweep"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/jon4hz/jellysweep/security/advisories/GHSA-xc93-q32j-cpcg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jon4hz/jellysweep/commit/17466312510966418aea941e4944229856d55101"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jon4hz/jellysweep"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-04T14:30:22Z",
+    "nvd_published_at": null
+  }
+}
