Cyber Posture

CVE-2025-58761

HighPublic PoC

Published: 09 September 2025

Published
09 September 2025
Modified
18 September 2025
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0013 32.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58761 is a high-severity Path Traversal: 'dir/../../filename' (CWE-27) vulnerability in Tautulli Tautulli. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the `img` URL parameter to block path traversal sequences like `../`, directly preventing arbitrary file reads from the server's filesystem.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation by patching to Tautulli version 2.16.0 or later, comprehensively eliminating the path traversal vulnerability.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, preventing unauthenticated access to sensitive files like `tautulli.db` and `config.ini` outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing Tautulli endpoint enables unauthenticated arbitrary file read (T1005), directly exposing credential files (T1552.001) after initial exploitation of the web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The `real_pms_image_proxy`…

more

is used to fetch an image directly from the backing Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. There is some validation ensuring that `img` begins with the prefix `interfaces/default/images` in order to be served from the local filesystem. However this can be bypassed by passing an `img` parameter which begins with a valid prefix, and then adjoining path traversal characters in order to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.

Deeper analysisAI

CVE-2025-58761 is a path traversal vulnerability (CWE-27) in the `real_pms_image_proxy` endpoint of Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Affecting versions 2.15.3 and prior, the flaw stems from inadequate validation of the `img` URL parameter, which is intended to fetch images from the Plex Media Server or local filesystem paths starting with the prefix `interfaces/default/images`. Attackers can bypass this check by prepending a valid prefix to path traversal sequences like `../`, enabling access to arbitrary files on the application server's filesystem.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Successful exploitation allows reading sensitive files, such as the `tautulli.db` SQLite database containing active JWT tokens and the `config.ini` file with the hashed admin password, JWT token secret, and Plex Media Server token and connection details. Possession of a valid JWT token or a cracked admin password enables privilege escalation to full administrative control of the Tautulli application.

The GitHub security advisory (GHSA-r732-m675-wj7w) and fixing commit (ec77a70aafc555e1aad0d9981f719d1200c117f1) confirm that Tautulli version 2.16.0 resolves the issue through improved parameter validation. Security practitioners should upgrade to 2.16.0 or later and review exposed Tautulli instances for signs of exploitation, such as anomalous file access logs.

Details

CWE(s)
CWE-27

Affected Products

tautulli
tautulli
≤ 2.16.0

CVEs Like This One

CVE-2025-58760Same product: Tautulli Tautulli
CVE-2026-31831Same product: Tautulli Tautulli
CVE-2025-58762Same product: Tautulli Tautulli
CVE-2026-28505Same product: Tautulli Tautulli
CVE-2026-32275Same product: Tautulli Tautulli
CVE-2026-24457Shared CWE-27
CVE-2025-66518Shared CWE-27

References