CVE-2025-58761

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The `real_pms_image_proxy` is used to fetch an image directly from the backing Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. There is some validation ensuring that `img` begins with the prefix `interfaces/default/images` in order to be served from the local filesystem. However this can be bypassed by passing an `img` parameter which begins with a valid prefix, and then adjoining path traversal characters in order to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.

CVSS v3.1 Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Weakness Type (CWE)

CWE-27 CWE-27

Affected Products

Vendor	Product	Versions
tautulli	tautulli	< 2.16.0

References

Advisories & Patches

https://github.com/Tautulli/Tautulli/commit/ec77a70aafc555e1aad0d9981f719d1200c117f1 https://github.com/Tautulli/Tautulli/security/advisories/GHSA-r732-m675-wj7w https://github.com/Tautulli/Tautulli/security/advisories/GHSA-r732-m675-wj7w

Exploits

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-r732-m675-wj7w https://github.com/Tautulli/Tautulli/security/advisories/GHSA-r732-m675-wj7w

Frequently Asked Questions

What is CVE-2025-58761? +

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The `real_pms_image_proxy` is used to fetch an image directly from the backing Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. There is some validation ensuring that `img` begins with the prefix `interfaces/default/images` in order to be served from the local filesystem. However this can be bypassed by passing an `img` parameter which begins with a valid prefix, and then adjoining path traversal characters in order to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue. It has a CVSS v3.1 base score of 8.6 (HIGH).

How severe is CVE-2025-58761? +

CVE-2025-58761 has a CVSS v3.1 score of 8.6 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2025-58761? +

CVE-2025-58761 affects products from tautulli, specifically: tautulli. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-58761? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-43658

Patch traversal, External Control of File Name or Path vulnerability in Iocharger Home allows deletion of arbitrary files This issue …

CVE-2024-23897 9.8

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces …

CVE-2024-27764 9.8

An issue in Jeewms v.3.7 and before allows a remote attacker to escalate privileges via the AuthInterceptor component.

CVE-2024-21896 9.8

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If …

CVE-2024-51747 9.1

Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary …

CVE-2025-10438 8.6

Path Traversal: 'dir/../../filename' vulnerability in Yordam Information Technology Consulting Education and Electrical Systems Industry Trade Inc. Yordam Katalog allows Path …