Plataforma
go
Componente
github.com/jon4hz/jellysweep
Corrigido em
0.13.1
0.13.0
CVE-2025-64178 describes a vulnerability in jellysweep, specifically within its image cache API endpoint. This issue stems from the uncontrolled use of data, potentially leading to a denial-of-service (DoS) condition. The vulnerability impacts versions of jellysweep prior to 0.13.0, and a fix has been released in version 0.13.0.
The uncontrolled data handling within the image cache API allows an attacker to craft malicious requests that exhaust system resources. This can result in a denial-of-service, rendering the jellysweep application unavailable to legitimate users. The impact is primarily focused on service disruption, but depending on the criticality of jellysweep within an organization’s infrastructure, this could have cascading effects. While the vulnerability description doesn't explicitly detail specific attack vectors, it suggests the possibility of resource exhaustion through carefully crafted API calls. The blast radius is limited to the system hosting the jellysweep application.
CVE-2025-64178 was publicly disclosed on 2025-11-17. There is no indication of this vulnerability being added to the CISA KEV catalog or actively exploited at this time. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.
Organizations that rely on jellysweep for image processing or caching are at risk. This includes developers and system administrators who manage jellysweep deployments. Environments where jellysweep is exposed to untrusted external networks are particularly vulnerable.
• go / server: Monitor application logs for unusual API requests related to image caching. Look for requests with excessively large payloads or unexpected data types.
journalctl -u jellysweep -f | grep "image cache API" • generic web: Use curl to test the image cache API endpoint with various payloads, including very large files or malformed data, to observe any abnormal behavior or resource consumption.
curl -F "image=@large_file.jpg" http://<jellysweep_server>/image_cache_apidisclosure
Status do Exploit
EPSS
0.08% (percentil 23%)
CISA SSVC
The primary mitigation for CVE-2025-64178 is to upgrade to version 0.13.0 of jellysweep, which addresses the uncontrolled data handling issue. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing input validation and sanitization on the image cache API endpoint to restrict the size and type of data accepted. While a WAF might offer some protection, it's unlikely to be sufficient without application-level changes. Monitor system resources (CPU, memory) for unusual spikes that could indicate a DoS attack.
Atualize Jellysweep para a versão 0.13.0 ou superior. Esta versão corrige a vulnerabilidade de SSRF ao validar corretamente as URLs utilizadas para baixar imagens. A atualização evitará que usuários autenticados possam baixar conteúdo arbitrário do servidor.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64178 is a HIGH severity vulnerability in jellysweep where uncontrolled data in the image cache API can lead to a denial-of-service.
You are affected if you are using a version of jellysweep prior to 0.13.0. Check your installed version and upgrade accordingly.
Upgrade to version 0.13.0 of jellysweep to address the uncontrolled data handling issue. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2025-64178, but public PoCs may emerge.
Refer to the jellysweep project's official repository or website for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.