CVE-2025-58763
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tautulli | tautulli | to 2.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Tautulli versions 2.15.3 and earlier when installed manually from GitHub. It occurs because the application executes git commands using Python's subprocess.Popen with shell=True, without sanitizing user-supplied inputs for git remote and branch names. An attacker with administrative privileges can exploit this by injecting shell commands via these inputs, leading to remote code execution on the server. The vulnerability is fixed in version 2.16.0. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrative access to execute arbitrary commands on the Tautulli application server remotely. This can lead to full compromise of the server, including data theft, service disruption, or using the server as a foothold for further attacks. The impact on confidentiality, integrity, and availability is high. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Tautulli installation is version 2.15.3 or earlier and was cloned directly from GitHub and installed manually. You can verify the Tautulli version by running a command like `tautulli --version` or checking the version in the application interface. Additionally, you can inspect the configuration keys GIT_REMOTE and GIT_BRANCH for suspicious shell metacharacters or command substitution patterns such as `$()`. Since the vulnerability involves command injection via the checkout_git_branch endpoint, monitoring logs for unusual git commands or unexpected shell command executions may help detect exploitation attempts. There is no specific detection command provided, but reviewing the configuration and version is key. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tautulli to version 2.16.0 or later, where this vulnerability has been fixed. If upgrading is not immediately possible, restrict administrative access to the Tautulli application to trusted users only, as the vulnerability requires administrative privileges. Avoid using manually cloned GitHub installations if possible, or ensure that inputs to the checkout_git_branch endpoint are sanitized to prevent command injection. Monitoring and restricting network access to the application server can also reduce risk. [1]