CVE-2025-58762 Overview
CVE-2025-58762 is a path traversal vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The flaw affects Tautulli version 2.15.3 and earlier. An attacker with administrative access can abuse the pms_image_proxy endpoint to write arbitrary Python scripts to the application filesystem. When combined with the built-in Script notification agent, this file write primitive escalates to remote code execution on the application server. The vulnerability is tracked under [CWE-73: External Control of File Name or Path].
Critical Impact
An authenticated administrator can achieve remote code execution by chaining a path traversal file write with the Script notification agent, fully compromising the Tautulli host.
Affected Products
- Tautulli versions up to and including 2.15.3
- Tautulli deployments configured with administrative access exposed to untrusted networks
- Installations using the Script notification agent feature
Discovery Timeline
- 2025-09-09 - CVE-2025-58762 published to NVD
- 2025-09-18 - Last updated in NVD database
Technical Details for CVE-2025-58762
Vulnerability Analysis
The vulnerability resides in the pms_image_proxy endpoint, which fetches and caches images from the configured Plex Media Server (PMS). Tautulli constructs a cache file path using a hash of the requested metadata concatenated with the user-supplied img_format parameter. Because img_format is appended to the end of the file path without sanitization, an attacker controls the file extension and, through path traversal sequences, the destination directory and filename.
When the cache lookup fails, Tautulli fetches the image content from the configured PMS URL. An attacker who has previously reconfigured the PMS URL to a server they control returns arbitrary bytes, including valid Python source code. Tautulli writes the attacker-controlled response into the attacker-controlled path. The attacker then triggers execution by invoking the Script notification agent, which runs local Python files from the application filesystem.
Root Cause
The root cause is improper neutralization of path traversal characters in the img_format request parameter. The application trusts administrator-supplied input when building filesystem paths and does not validate that the resulting path remains within the intended cache directory or restrict the written file extension to image formats.
Attack Vector
Exploitation requires administrative access to Tautulli and the ability to point the application at an attacker-controlled PMS endpoint. The attack proceeds in three stages:
- The attacker modifies the configured PMS URL to a server under their control.
- The attacker issues a pms_image_proxy request with a URL in the img parameter and a path traversal payload in the img_format parameter, causing Tautulli to write the attacker-controlled response body to an arbitrary .py file on disk.
- The attacker configures and triggers the Script notification agent to execute the planted Python file, achieving remote code execution.
The vulnerability mechanics are documented in the GitHub Security Advisory GHSA-pxhr-29gv-4j8v and the corresponding upstream patch commit.
Detection Methods for CVE-2025-58762
Indicators of Compromise
- Unexpected .py files appearing in the Tautulli cache directory or application directories
- HTTP requests to pms_image_proxy containing ../ sequences or non-image extensions in the img_format parameter
- Configuration changes to the PMS server URL pointing to unfamiliar external hosts
- New or modified entries in the Script notification agent configuration referencing recently created files
Detection Strategies
- Inspect Tautulli access logs for pms_image_proxy requests where img_format contains path traversal characters or executable extensions such as .py
- Monitor process execution telemetry for Python interpreters spawned by the Tautulli process executing scripts from non-standard paths
- Alert on outbound HTTP requests from Tautulli to PMS endpoints that resolve to external or non-corporate IP ranges
Monitoring Recommendations
- Enable file integrity monitoring on the Tautulli installation directory and cache directories
- Audit Tautulli administrator authentication events and configuration change history
- Correlate notification agent invocations with recent file write events in the application filesystem
How to Mitigate CVE-2025-58762
Immediate Actions Required
- Upgrade Tautulli to version 2.16.0, which contains the official patch
- Restrict network access to the Tautulli administrative interface to trusted management networks only
- Rotate Tautulli administrator credentials and review recent configuration changes for unauthorized PMS URL modifications
- Review the Tautulli filesystem for unexpected Python files and remove any unauthorized scripts
Patch Information
The vendor released a fix in Tautulli 2.16.0. The patch is published in commit 26e6b328112eb2cf35c164f981e0718f3a3d31a7 and described in the GHSA-pxhr-29gv-4j8v advisory. Administrators should upgrade as the primary remediation step.
Workarounds
- Disable the Script notification agent until the upgrade is applied to break the RCE exploitation chain
- Place Tautulli behind a reverse proxy that enforces strict authentication and IP allowlisting for administrative endpoints
- Enforce egress filtering so the Tautulli host can only reach the legitimate, expected PMS endpoint
# Example: upgrade Tautulli via git to the patched release
cd /opt/Tautulli
git fetch --tags
git checkout v2.16.0
systemctl restart tautulli
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
