Overview
The vulnerability dubbed CVE-2025-58761 is a significant security flaw discovered in Tautulli, a Python-based monitoring and tracking tool employed by Plex Media Server. This vulnerability could potentially affect millions of users worldwide who use Plex Media Server for multimedia sharing and streaming. The gravity of this threat lies in its potential to give unauthenticated attackers the ability to read arbitrary files from the application server’s filesystem. If exploited, this vulnerability could lead to system compromise and data leakage, putting sensitive user information at risk.
Vulnerability Summary
CVE ID: CVE-2025-58761
Severity: High – CVSS Score 8.6
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise and data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Tautulli | v2.15.3 and Prior
How the Exploit Works
The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is susceptible to a path traversal attack. The endpoint is designed to fetch an image directly from the Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. However, an attacker can bypass the validation process by starting the `img` parameter with a valid prefix, then adjoining path traversal characters to reach files outside of intended directories. By exploiting this vulnerability, an attacker can exfiltrate files on the application file system, including the `config.ini` file containing the hashed admin password and the `tautulli.db` SQLite database containing active JWT tokens.
Conceptual Example Code
Here’s a hypothetical example of how an attacker could exploit this vulnerability using an HTTP request:
GET /real_pms_image_proxy?img=interfaces/default/images/../../../../../etc/passwd HTTP/1.1
Host: target.example.comIn this example, the attacker appends path traversal characters to the `img` parameter, attempting to fetch the `/etc/passwd` file, which is a sensitive file on Unix-based systems.
Impact of the Exploit
If the vulnerability is successfully exploited, an attacker could gain administrative control over the application. This could lead to a range of harmful outcomes, including unauthorized access to sensitive user data and the potential to manipulate or corrupt system files and data, leading to system instability or failure.
Suggested Remediation
The recommended solution to this vulnerability is to apply the vendor-supplied patch, which is available in version 2.16.0 of Tautulli. Until the patch can be applied, it’s advised to use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation to detect and block attempts to exploit this vulnerability.
