CVE-2025-58760
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal flaw in the `/image` API endpoint of Tautulli versions 2.15.3 and earlier. The endpoint serves static images from the application's data directory without requiring authentication. Due to improper sanitization of user input in the URL path, an attacker can manipulate the path to access arbitrary files on the server's filesystem outside the intended directory. This allows unauthenticated attackers to read sensitive files such as the `tautulli.db` database containing active JWT tokens and the `config.ini` file containing hashed admin passwords and secret tokens. Exploiting this can lead to privilege escalation and administrative control over the application. The issue was fixed in version 2.16.0. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive information stored on the server, such as authentication tokens, hashed passwords, and configuration secrets. Attackers can use this information to escalate privileges and gain administrative control over the Tautulli application without authentication. This compromises the security and integrity of the application and potentially the Plex Media Server environment it monitors. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP GET requests to the vulnerable Tautulli server targeting the `/image` API endpoint with path traversal sequences. For example, a command using curl to test the vulnerability is: `curl -i http://<tautulli-server>/image/images/../../../../../../../../../etc/passwd`. If the response returns HTTP 200 with content type `image/png` and includes contents of the targeted file (e.g., `/etc/passwd`), the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.16.0 or later, where the vulnerability is fixed. The fix involves validating image paths to ensure they are subdirectories of the intended resource directory, preventing path traversal. If upgrading immediately is not possible, restrict network access to the Tautulli server to trusted users only and monitor for suspicious requests targeting the `/image` endpoint. [1, 2]