GHSA-xc93-q32j-cpcg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xc93-q32j-cpcg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-xc93-q32j-cpcg/GHSA-xc93-q32j-cpcg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xc93-q32j-cpcg
- Aliases
- Published
- 2025-11-04T14:30:22Z
- Modified
- 2025-11-04T15:12:51.320682Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
- Summary
- Jellysweep uses uncontrolled data in image cache API endpoint
- Details
-
Impact
The
/api/images/cachewhich is used to download media posters from the server accepted anurlparameter, which was directly passed to the cache package and that downloaded the poster from this URL. This URL parameter can be used to make the jellysweep server download arbitrary content.The API endpoint can only be used by authenticated users.
Patches
Fixed in
v0.13.0. The affected (and now fixed) library was also moved tointernal/because it wasn't meant to be imported.References
https://github.com/jon4hz/jellysweep/security/code-scanning/28
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-918" ], "github_reviewed_at": "2025-11-04T14:30:22Z", "nvd_published_at": null, "github_reviewed": true }- References
Affected packages
Go / github.com/jon4hz/jellysweep
Package
- Name
- github.com/jon4hz/jellysweep
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/jon4hz/jellysweep