Plateforme
python
Composant
tautulli
Corrigé dans
2.16.1
CVE-2025-58760 describes a Path Traversal vulnerability discovered in Tautulli, a Python-based monitoring tool for Plex Media Server. This vulnerability allows unauthenticated attackers to read arbitrary files from the application server's filesystem, potentially exposing sensitive data. The issue affects versions of Tautulli up to and including 2.16.0, and a patch is available in version 2.16.0.
The /image API endpoint in Tautulli, responsible for serving static images, is vulnerable to path traversal. Because this endpoint is accessible without authentication, any attacker can exploit it. By crafting malicious requests, an attacker can bypass intended access controls and read files outside the intended directory. This could include configuration files, database backups, or even parts of the application's source code, depending on the server's file system layout and permissions. The potential impact ranges from information disclosure to, in extreme cases, complete server compromise if sensitive credentials or keys are exposed.
CVE-2025-58760 was publicly disclosed on September 9, 2025. There is no indication of active exploitation at this time, and it is not currently listed on CISA KEV. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the likelihood of future exploitation attempts.
Organizations running Plex Media Server with Tautulli installed are at risk, particularly those with publicly accessible Tautulli instances or those using default configurations. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromised Tautulli instance could potentially expose data belonging to other users.
• python / server:
# Check for Tautulli processes and versions
ps aux | grep tautulli
# Monitor access logs for suspicious requests to /image endpoint
grep '/image/' /var/log/nginx/access.log• generic web:
# Attempt to access a file outside the intended image directory
curl http://<tautulli_ip>/image/../../../../etc/passwddisclosure
Statut de l'Exploit
EPSS
0.15% (percentile 36%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-58760 is to upgrade Tautulli to version 2.16.0 or later, which contains the fix. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts targeting the /image endpoint. Specifically, look for requests with characters like ../ or absolute paths. Additionally, review file system permissions to ensure that the Tautulli application directory is not writable by the web server user. After upgrading, confirm the fix by attempting to access a file outside the intended image directory via the /image endpoint; the request should be denied.
Actualice Tautulli a la versión 2.16.0 o posterior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización evitará que atacantes no autenticados accedan a archivos arbitrarios en el sistema de archivos del servidor.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-58760 is a Path Traversal vulnerability affecting Tautulli versions up to 2.16.0, allowing unauthorized file access.
You are affected if you are running Tautulli version 2.16.0 or earlier. Upgrade to 2.16.0 to mitigate the risk.
Upgrade Tautulli to version 2.16.0 or later. Consider WAF rules as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the Tautulli project's official website and GitHub repository for updates and advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.