CVE-2025-58761
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The `real_pms_image_proxy` is used to fetch an image directly from the backing Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. There is some validation ensuring that `img` begins with the prefix `interfaces/default/images` in order to be served from the local filesystem. However this can be bypassed by passing an `img` parameter which begins with a valid prefix, and then adjoining path traversal characters in order to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58761
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-27 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58761 is a path traversal vulnerability in the `real_pms_image_proxy` endpoint of Tautulli versions 2.15.3 and earlier. This endpoint fetches images from the Plex Media Server based on an `img` URL parameter that can be a URL or a local file path. Although the application validates that the `img` parameter starts with the prefix `interfaces/default/images`, this check can be bypassed by appending path traversal sequences (like `../`) after the valid prefix. This allows unauthenticated attackers to read arbitrary files from the server's filesystem, including sensitive files such as the `tautulli.db` database and `config.ini` configuration file. [2]

Impact Analysis

This vulnerability can have a significant impact because attackers can read sensitive files on the server without authentication. They can exfiltrate the `tautulli.db` SQLite database containing active JWT tokens and the `config.ini` file which holds the hashed admin password, JWT token secret, and Plex Media Server tokens and connection details. With this information, attackers may crack passwords or use valid JWT tokens to escalate privileges and gain administrative control over the Tautulli application, potentially compromising the entire system. [2]

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal in the `real_pms_image_proxy` endpoint. For example, you can use a curl command to request a sensitive file outside the intended directory, such as the config.ini file, to see if it is accessible. A sample command is: curl --path-as-is -i -s -k 'http://<target-host>:8181/pms_image_proxy?img=interfaces/default/images/../../../../../../../../../config/config.ini' If the response contains the contents of the config.ini file or other sensitive files, the system is vulnerable. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade Tautulli to version 2.16.0 or later, where the vulnerability has been fixed. The fix includes improved validation of the image format parameter in the `real_pms_image_proxy` endpoint, restricting accepted image formats to 'png' and 'jpg' only, preventing path traversal exploits. Until the upgrade can be applied, consider restricting access to the Tautulli service to trusted networks or users to reduce exposure. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart