Platform
go
Component
github.com/jon4hz/jellysweep
Fixed in
0.13.1
0.13.0
CVE-2025-64178 describes a vulnerability in jellysweep, specifically within its image cache API endpoint. This issue stems from the uncontrolled use of data, potentially leading to a denial-of-service (DoS) condition. The vulnerability impacts versions of jellysweep prior to 0.13.0, and a fix has been released in version 0.13.0.
The uncontrolled data handling within the image cache API allows an attacker to craft malicious requests that exhaust system resources. This can result in a denial-of-service, rendering the jellysweep application unavailable to legitimate users. The impact is primarily focused on service disruption, but depending on the criticality of jellysweep within an organization’s infrastructure, this could have cascading effects. While the vulnerability description doesn't explicitly detail specific attack vectors, it suggests the possibility of resource exhaustion through carefully crafted API calls. The blast radius is limited to the system hosting the jellysweep application.
CVE-2025-64178 was publicly disclosed on 2025-11-17. There is no indication of this vulnerability being added to the CISA KEV catalog or actively exploited at this time. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The primary mitigation for CVE-2025-64178 is to upgrade to version 0.13.0 of jellysweep, which addresses the uncontrolled data handling issue. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing input validation and sanitization on the image cache API endpoint to restrict the size and type of data accepted. While a WAF might offer some protection, it's unlikely to be sufficient without application-level changes. Monitor system resources (CPU, memory) for unusual spikes that could indicate a DoS attack.
Update Jellysweep to version 0.13.0 or higher. This version fixes the SSRF vulnerability by correctly validating the URLs used to download images. The update will prevent authenticated users from downloading arbitrary content from the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64178 is a HIGH severity vulnerability in jellysweep where uncontrolled data in the image cache API can lead to a denial-of-service.
You are affected if you are using a version of jellysweep prior to 0.13.0. Check your installed version and upgrade accordingly.
Upgrade to version 0.13.0 of jellysweep to address the uncontrolled data handling issue. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2025-64178, but public PoCs may emerge.
Refer to the jellysweep project's official repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.