CVE-2025-58761 Overview
CVE-2025-58761 is a path traversal vulnerability affecting Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The real_pms_image_proxy endpoint in Tautulli v2.15.3 and prior versions allows unauthenticated attackers to read arbitrary files from the application server's filesystem by exploiting insufficient input validation on the img URL parameter.
Critical Impact
Unauthenticated attackers can exfiltrate sensitive files including the tautulli.db SQLite database containing active JWT tokens, as well as config.ini which contains hashed admin passwords, JWT token secrets, and Plex Media Server credentials, potentially leading to full administrative control of the application.
Affected Products
- Tautulli versions prior to and including v2.15.3
- All Tautulli installations using the vulnerable real_pms_image_proxy endpoint
- Self-hosted Plex Media Server monitoring deployments using affected Tautulli versions
Discovery Timeline
- September 9, 2025 - CVE-2025-58761 published to NVD
- September 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-58761
Vulnerability Analysis
This path traversal vulnerability exists in the real_pms_image_proxy endpoint, which is designed to fetch images directly from a backing Plex Media Server. The endpoint accepts an img URL parameter that can specify either a URL or a file path for the image to be retrieved.
While there is validation logic ensuring that the img parameter begins with the prefix interfaces/default/images before serving files from the local filesystem, this security check can be bypassed. An attacker can craft an img parameter that starts with the valid prefix and then appends path traversal sequences (such as ../) to navigate outside the intended directory structure and access arbitrary files on the server.
The vulnerability is particularly dangerous because the attacker can extract highly sensitive files without requiring any authentication. The exposed data includes the tautulli.db SQLite database containing active JWT authentication tokens, as well as the config.ini configuration file which stores the hashed administrator password, JWT token signing secret, and Plex Media Server access tokens and connection details.
Root Cause
The root cause of this vulnerability is improper input validation (CWE-27: Path Traversal) in the real_pms_image_proxy endpoint. The validation only checks if the img parameter begins with an expected prefix but fails to properly sanitize or validate the remainder of the path. This allows attackers to use relative path sequences (../) to traverse directories and escape the intended image directory, accessing files anywhere on the filesystem accessible to the application process.
Attack Vector
The attack is conducted over the network and requires no authentication or user interaction. An attacker can send a specially crafted HTTP request to the real_pms_image_proxy endpoint with an img parameter that:
- Begins with the required prefix interfaces/default/images
- Appends path traversal sequences (../) to navigate to parent directories
- Specifies a target file path such as tautulli.db or config.ini
This allows direct exfiltration of sensitive configuration files and databases. If the attacker successfully retrieves the JWT token from the database or cracks the hashed password from the configuration file, they can escalate privileges to gain full administrative control over the Tautulli application.
The security patch in version 2.16.0 addresses this by implementing additional validation on the image format parameter:
opacity (str): 25
background (str): Hex color, e.g. 282828
blur (str): 3
- img_format (str): png
+ img_format (str): png or jpg
fallback (str): "poster", "cover", "art", "poster-live", "art-live", "art-live-full", "user"
refresh (bool): True or False whether to refresh the image cache
return_hash (bool): True or False to return the self-hosted image hash instead of the image
Source: GitHub Commit ec77a70
Detection Methods for CVE-2025-58761
Indicators of Compromise
- HTTP requests to the real_pms_image_proxy endpoint containing path traversal sequences (../) in the img parameter
- Unusual access patterns to Tautulli API endpoints from external IP addresses
- Unexpected reads of tautulli.db, config.ini, or other sensitive files outside the images directory
- Authentication anomalies such as new admin sessions from unknown sources after file exfiltration attempts
Detection Strategies
- Monitor web server and application logs for requests to real_pms_image_proxy containing ../ sequences or other path traversal patterns
- Implement web application firewall (WAF) rules to detect and block path traversal attempts in URL parameters
- Set up file integrity monitoring on sensitive Tautulli files including tautulli.db and config.ini
- Alert on unusual patterns of JWT token usage or admin login attempts following suspicious API activity
Monitoring Recommendations
- Enable detailed access logging on the Tautulli web server to capture full request URIs
- Deploy network-based intrusion detection signatures for path traversal attack patterns
- Monitor for unexpected outbound data transfers that could indicate exfiltration of database contents
- Review authentication logs for signs of credential compromise or unauthorized administrative access
How to Mitigate CVE-2025-58761
Immediate Actions Required
- Upgrade Tautulli to version 2.16.0 or later immediately to remediate the path traversal vulnerability
- Rotate all credentials including the admin password, JWT token secret, and Plex Media Server tokens if compromise is suspected
- Review access logs for any evidence of exploitation attempts against the real_pms_image_proxy endpoint
- Restrict network access to Tautulli instances, limiting exposure to trusted networks only
Patch Information
The vulnerability has been fixed in Tautulli version 2.16.0. Users should upgrade immediately by updating their Tautulli installation through the standard update mechanism or by manually applying the security patch. The fix is available in commit ec77a70aafc555e1aad0d9981f719d1200c117f1. For detailed information, refer to the GitHub Security Advisory GHSA-r732-m675-wj7w.
Workarounds
- Place Tautulli behind a reverse proxy with WAF rules that block requests containing path traversal sequences
- Restrict access to the Tautulli web interface using firewall rules or network segmentation to trusted IP addresses only
- Implement authentication at the network or reverse proxy level as an additional layer of protection
- Regularly back up and monitor integrity of sensitive files to detect unauthorized access or modification
# Example: Block path traversal attempts in nginx reverse proxy
location /pms_image_proxy {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://tautulli_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
