Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-58763

CVE-2025-58763: Tautulli Command Injection RCE Vulnerability

CVE-2025-58763 is a command injection vulnerability in Tautulli that enables authenticated admins to execute arbitrary code on servers with manual GitHub installations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-58763 Overview

CVE-2025-58763 is a command injection vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The flaw affects Tautulli v2.15.3 and prior versions when the application is cloned from GitHub and installed manually. An attacker with administrative privileges can achieve remote code execution on the application server by abusing the update mechanism that wraps the git command. Version 2.16.0 contains the fix. The issue is tracked under [CWE-78] (OS Command Injection).

Critical Impact

Authenticated administrators can execute arbitrary operating system commands on the Tautulli host, leading to full compromise of the application server.

Affected Products

  • Tautulli v2.15.3 and earlier (manual GitHub installations)
  • Tautulli versions managing updates via the runGit function in versioncheck.py
  • Tautulli deployments exposing the checkout_git_branch endpoint

Discovery Timeline

  • 2025-09-09 - CVE-2025-58763 published to NVD
  • 2025-09-18 - Last updated in NVD database

Technical Details for CVE-2025-58763

Vulnerability Analysis

The vulnerability resides in Tautulli's update and versioning logic. When the application is cloned from GitHub and installed manually, Tautulli executes git commands to manage updates. The runGit function in versioncheck.py invokes subprocess.Popen with shell=True, which causes shell metacharacters within arguments to be interpreted by the underlying shell. Any unsanitized data flowing into a command string therefore becomes executable input.

The checkout_git_branch endpoint provides a concrete trigger. It accepts a user-supplied remote and branch name and stores those values directly into the GIT_REMOTE and GIT_BRANCH configuration keys without sanitization. Downstream code retrieves these keys and passes them into runGit through a format string. An administrator submitting a value containing $() command substitution achieves arbitrary code execution under the Tautulli process account.

Root Cause

The root cause is the combination of shell=True in subprocess.Popen calls and the lack of input validation on configuration values consumed by those calls. Trust placed in administrator-supplied values allows shell metacharacters to bypass any intended command boundary.

Attack Vector

Exploitation requires authenticated access with administrative privileges. An attacker submits crafted values to the checkout_git_branch endpoint, populating GIT_REMOTE or GIT_BRANCH with shell substitution syntax such as $(command). When Tautulli next invokes runGit with these values, the injected command runs under the shell. Further technical detail is available in the GitHub Security Advisory GHSA-jrm9-r57q-6cvf.

Detection Methods for CVE-2025-58763

Indicators of Compromise

  • Unexpected child processes spawned by the Tautulli Python process, particularly shells (sh, bash) or interpreters launched outside of normal git operations.
  • Modifications to the GIT_REMOTE or GIT_BRANCH keys in the Tautulli configuration file containing characters such as $, `, ;, |, or &.
  • Outbound network connections from the Tautulli host that do not correspond to Plex API traffic or GitHub update checks.

Detection Strategies

  • Review web access logs for POST requests to the checkout_git_branch endpoint and inspect submitted parameters for shell metacharacters.
  • Audit the Tautulli configuration file for suspicious values in GIT_REMOTE and GIT_BRANCH.
  • Correlate Tautulli process activity with subsequent shell command execution to surface command injection behavior.

Monitoring Recommendations

  • Enable process telemetry on hosts running Tautulli to capture parent-child process lineage involving the Python interpreter.
  • Alert on file integrity changes to versioncheck.py and the Tautulli configuration store.
  • Monitor administrative authentication events to Tautulli and flag changes to update settings.

How to Mitigate CVE-2025-58763

Immediate Actions Required

  • Upgrade Tautulli to version 2.16.0 or later, which contains the fix.
  • Restrict network exposure of the Tautulli administrative interface to trusted management networks only.
  • Rotate administrator credentials and review account access if compromise is suspected.
  • Inspect GIT_REMOTE and GIT_BRANCH values in the Tautulli configuration and reset them to known-good defaults.

Patch Information

The Tautulli maintainers released version 2.16.0 to remediate this issue. Review the Tautulli Security Advisory GHSA-jrm9-r57q-6cvf for upgrade guidance and commit references.

Workarounds

  • Place the Tautulli administrative interface behind a reverse proxy that enforces additional authentication and source IP restrictions.
  • Run Tautulli under a low-privilege service account isolated from sensitive data and credentials on the host.
  • Disable manual git-based update functionality where feasible and rely on package-based or container distributions that do not invoke runGit.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne