CVE-2025-58762
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-18
Generated
2026-05-07
AI Q&A
2025-09-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-58762
EUVD
EUVD-2025-27467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tautulli tautulli to 2.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-58762 is a critical remote code execution vulnerability in Tautulli versions up to 2.15.3. An attacker with administrative access can exploit the `pms_image_proxy` endpoint by manipulating the `img` and `img_format` parameters to write arbitrary Python scripts to the application filesystem. The vulnerability arises because the `img_format` parameter is not sanitized and can include path traversal characters, allowing the attacker to specify arbitrary file paths. By controlling the PMS URL to point to a server they control, the attacker can cause Tautulli to fetch and write arbitrary content to these paths. The attacker can then use the built-in Script notification agent to execute the malicious scripts, resulting in remote code execution on the application server. Users are advised to upgrade to version 2.16.0 to patch this issue. [2]


How can this vulnerability impact me? :

This vulnerability allows an attacker with administrative privileges to execute arbitrary Python code on the Tautulli server remotely. This can lead to full compromise of the application server, including unauthorized access to data, modification or deletion of files, disruption of service, and potentially further attacks on the network or connected systems. Because the attacker can write and execute arbitrary scripts, the impact on confidentiality, integrity, and availability is high. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can focus on monitoring for unusual requests to the `pms_image_proxy` endpoint, especially those containing suspicious `img` URLs and `img_format` parameters with path traversal characters. Network monitoring tools or web server logs can be searched for such patterns. For example, using grep on Tautulli logs or web server access logs: `grep -E 'pms_image_proxy.*img=.*&img_format=.*\.\./' /path/to/logfile` to find requests with path traversal attempts. Additionally, monitoring for unexpected file creations or modifications in the Tautulli application filesystem, particularly Python scripts, may indicate exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Tautulli to version 2.16.0 or later, where this vulnerability is patched. Until the upgrade can be performed, restrict administrative access to trusted users only, and monitor for suspicious activity targeting the `pms_image_proxy` endpoint. Applying network-level controls to limit access to the Tautulli administrative interface can also reduce risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart