CVE-2025-62382
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blakeblackshear | frigate | 0.16.1 |
| blakeblackshear | frigate | 0.16.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Frigate (prior to version 0.16.2) allows an authenticated user to specify any filesystem location as the thumbnail source for a video export. Because the specified path is copied directly into the publicly accessible clips directory, an attacker with low privileges can exploit this to read arbitrary files on the host system. This can lead to unauthorized disclosure of sensitive files such as configuration files, secrets, or user data. The exploit relies on a short timing window during the file copy process before cleanup occurs.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized information disclosure by allowing a low-privilege user to access sensitive files on the host running Frigate. This could result in exposure of confidential configuration data, secrets, or user information, potentially compromising the security and privacy of the system and its users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Frigate to version 0.16.2 or later, as this version contains the fix for the vulnerability. Until the upgrade is applied, restrict API access to trusted users only to prevent exploitation by low-privilege users.