CVE-2025-58760

Exploit

EPSS 0.6%
Veröffentlicht 09.09.2025 19:56:57
Zuletzt bearbeitet 18.09.2025 17:30:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the `/image` API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tautulli ≫ Tautulli Version < 2.16.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.6%	0.441

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-8g4r-8f3f-hghp

Vendor Advisory

Exploit

https://github.com/Tautulli/Tautulli/commit/47566128e2e5dde98980d59b7a51b98173bc0b40

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-58760

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58760

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58760

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-58760