CVE-2025-58760
Published: 09 September 2025
Summary
CVE-2025-58760 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Tautulli Tautulli. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AU-13 (Monitoring for Information Disclosure).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs to the /image API endpoint to block path traversal payloads that enable arbitrary file reads from the server filesystem.
Limits permitted actions on the unauthenticated /image endpoint to only serving static images from the intended data directory, preventing access to sensitive files like tautulli.db and config.ini.
Monitors system areas for unauthorized disclosures of sensitive information, such as suspicious /image requests exfiltrating JWT tokens or config files via path traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in unauthenticated public web endpoint directly enables remote file read of credential stores (config, DB tokens).
NVD Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In…
more
Tautulli, the `/image` API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.
Deeper analysisAI
CVE-2025-58760 is a path traversal vulnerability (CWE-23) in the `/image` API endpoint of Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Affecting versions 2.15.3 and earlier, the endpoint, which serves static images from the application's data directory without authentication, allows attackers to traverse outside the intended directory and access arbitrary files on the application server's filesystem. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), reflecting high confidentiality impact with changed scope.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the `/image` endpoint, enabling them to read sensitive files such as the `tautulli.db` SQLite database containing active JWT tokens and the `config.ini` file with the hashed admin password, JWT token secret, Plex Media Server token, and connection details. Successful exfiltration of these files could allow privilege escalation to administrative control if the hashed password is cracked or a valid JWT token is reused.
The Tautulli GitHub security advisory (GHSA-8g4r-8f3f-hghp) and the fixing commit (47566128e2e5dde98980d59b7a51b98173bc0b40) confirm that version 2.16.0 resolves the vulnerability by addressing the path traversal in the endpoint. Security practitioners should upgrade to 2.16.0 or later and review access logs for suspicious `/image` requests.
Details
- CWE(s)