CVE-2025-58762
Published: 09 September 2025
Summary
CVE-2025-58762 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Tautulli Tautulli. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploitation by requiring validation and sanitization of the attacker-controlled img_format parameter.
Mitigates the vulnerability comprehensively by identifying, reporting, and applying the vendor-recommended patch that sanitizes img_format.
Detects the arbitrary file write of malicious Python scripts through monitoring and integrity verification of application filesystem changes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public pms_image_proxy endpoint enables arbitrary file write (initial access via T1190); combined with Script notification agent allows writing/executing Python payloads for RCE (T1059.006).
NVD Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to…
more
remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.
Deeper analysisAI
CVE-2025-58762 is a path traversal vulnerability in the `pms_image_proxy` endpoint of Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Affecting versions 2.15.3 and earlier, the flaw arises because the `img_format` parameter is not sanitized, allowing attackers to manipulate file paths using traversal characters. This enables arbitrary file writes to the application filesystem when Tautulli fetches content from a configured Plex Media Server (PMS), as the tool constructs file paths using a hash of metadata combined with the attacker-controlled `img_format`.
An attacker with administrative access to Tautulli can exploit this by first changing the PMS URL to a server they control. They then send a request to the `pms_image_proxy` endpoint, specifying a URL in the `img` parameter and a malicious filename via `img_format` with path traversal. When the target file does not exist, Tautulli fetches arbitrary content from the attacker's PMS, writing it—such as a Python script—to the desired location. Combining this with Tautulli's built-in `Script` notification agent allows the script to be executed, achieving remote code execution on the application server. The CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects high impact despite requiring high privileges.
The Tautulli security advisory (GHSA-pxhr-29gv-4j8v) and corresponding patch in commit 26e6b328112eb2cf35c164f981e0718f3a3d31a7 recommend upgrading to version 2.16.0, which addresses the lack of sanitization in the `img_format` parameter. No additional mitigations are specified in the provided references.
Details
- CWE(s)