平台
go
组件
github.com/jon4hz/jellysweep
修复版本
0.13.1
0.13.0
CVE-2025-64178 describes a vulnerability in jellysweep, specifically within its image cache API endpoint. This issue stems from the uncontrolled use of data, potentially leading to a denial-of-service (DoS) condition. The vulnerability impacts versions of jellysweep prior to 0.13.0, and a fix has been released in version 0.13.0.
The uncontrolled data handling within the image cache API allows an attacker to craft malicious requests that exhaust system resources. This can result in a denial-of-service, rendering the jellysweep application unavailable to legitimate users. The impact is primarily focused on service disruption, but depending on the criticality of jellysweep within an organization’s infrastructure, this could have cascading effects. While the vulnerability description doesn't explicitly detail specific attack vectors, it suggests the possibility of resource exhaustion through carefully crafted API calls. The blast radius is limited to the system hosting the jellysweep application.
CVE-2025-64178 was publicly disclosed on 2025-11-17. There is no indication of this vulnerability being added to the CISA KEV catalog or actively exploited at this time. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.
Organizations that rely on jellysweep for image processing or caching are at risk. This includes developers and system administrators who manage jellysweep deployments. Environments where jellysweep is exposed to untrusted external networks are particularly vulnerable.
• go / server: Monitor application logs for unusual API requests related to image caching. Look for requests with excessively large payloads or unexpected data types.
journalctl -u jellysweep -f | grep "image cache API" • generic web: Use curl to test the image cache API endpoint with various payloads, including very large files or malformed data, to observe any abnormal behavior or resource consumption.
curl -F "image=@large_file.jpg" http://<jellysweep_server>/image_cache_apidisclosure
漏洞利用状态
EPSS
0.08% (23% 百分位)
CISA SSVC
The primary mitigation for CVE-2025-64178 is to upgrade to version 0.13.0 of jellysweep, which addresses the uncontrolled data handling issue. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing input validation and sanitization on the image cache API endpoint to restrict the size and type of data accepted. While a WAF might offer some protection, it's unlikely to be sufficient without application-level changes. Monitor system resources (CPU, memory) for unusual spikes that could indicate a DoS attack.
将 Jellysweep 更新到 0.13.0 或更高版本。此版本通过正确验证用于下载图像的 URL 来修复 SSRF 漏洞。更新将防止经过身份验证的用户从服务器下载任意内容。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-64178 is a HIGH severity vulnerability in jellysweep where uncontrolled data in the image cache API can lead to a denial-of-service.
You are affected if you are using a version of jellysweep prior to 0.13.0. Check your installed version and upgrade accordingly.
Upgrade to version 0.13.0 of jellysweep to address the uncontrolled data handling issue. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2025-64178, but public PoCs may emerge.
Refer to the jellysweep project's official repository or website for the latest security advisories and updates.
上传你的 go.mod 文件,立即知道是否受影响。