CVE-2025-58761
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-27 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58761 is a path traversal vulnerability in the `real_pms_image_proxy` endpoint of Tautulli versions 2.15.3 and earlier. This endpoint fetches images from the Plex Media Server based on an `img` URL parameter that can be a URL or a local file path. Although the application validates that the `img` parameter starts with the prefix `interfaces/default/images`, this check can be bypassed by appending path traversal sequences (like `../`) after the valid prefix. This allows unauthenticated attackers to read arbitrary files from the server's filesystem, including sensitive files such as the `tautulli.db` database and `config.ini` configuration file. [2]
How can this vulnerability impact me? :
This vulnerability can have a significant impact because attackers can read sensitive files on the server without authentication. They can exfiltrate the `tautulli.db` SQLite database containing active JWT tokens and the `config.ini` file which holds the hashed admin password, JWT token secret, and Plex Media Server tokens and connection details. With this information, attackers may crack passwords or use valid JWT tokens to escalate privileges and gain administrative control over the Tautulli application, potentially compromising the entire system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the path traversal in the `real_pms_image_proxy` endpoint. For example, you can use a curl command to request a sensitive file outside the intended directory, such as the config.ini file, to see if it is accessible. A sample command is: curl --path-as-is -i -s -k 'http://<target-host>:8181/pms_image_proxy?img=interfaces/default/images/../../../../../../../../../config/config.ini' If the response contains the contents of the config.ini file or other sensitive files, the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.16.0 or later, where the vulnerability has been fixed. The fix includes improved validation of the image format parameter in the `real_pms_image_proxy` endpoint, restricting accepted image formats to 'png' and 'jpg' only, preventing path traversal exploits. Until the upgrade can be applied, consider restricting access to the Tautulli service to trusted networks or users to reduce exposure. [1, 2]