Platform
python
Component
tautulli
Fixed in
2.16.1
CVE-2025-58760 describes a Path Traversal vulnerability discovered in Tautulli, a Python-based monitoring tool for Plex Media Server. This vulnerability allows unauthenticated attackers to read arbitrary files from the application server's filesystem, potentially exposing sensitive data. The issue affects versions of Tautulli up to and including 2.16.0, and a patch is available in version 2.16.0.
The /image API endpoint in Tautulli, responsible for serving static images, is vulnerable to path traversal. Because this endpoint is accessible without authentication, any attacker can exploit it. By crafting malicious requests, an attacker can bypass intended access controls and read files outside the intended directory. This could include configuration files, database backups, or even parts of the application's source code, depending on the server's file system layout and permissions. The potential impact ranges from information disclosure to, in extreme cases, complete server compromise if sensitive credentials or keys are exposed.
CVE-2025-58760 was publicly disclosed on September 9, 2025. There is no indication of active exploitation at this time, and it is not currently listed on CISA KEV. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the likelihood of future exploitation attempts.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58760 is to upgrade Tautulli to version 2.16.0 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts targeting the /image endpoint. Specifically, look for requests with characters like ../ or absolute paths. Additionally, review file system permissions to ensure that the Tautulli application directory is not writable by the web server user. After upgrading, confirm the fix by attempting to access a file outside the intended image directory via the /image endpoint; the request should be denied.
Actualice Tautulli a la versión 2.16.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que atacantes no autenticados accedan a archivos arbitrarios en el sistema de archivos del servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58760 is a Path Traversal vulnerability affecting Tautulli versions up to 2.16.0, allowing unauthorized file access.
You are affected if you are running Tautulli version 2.16.0 or earlier. Upgrade to 2.16.0 to mitigate the risk.
Upgrade Tautulli to version 2.16.0 or later. Consider WAF rules as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the Tautulli project's official website and GitHub repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.