CVE-2025-58760
📋 TL;DR
CVE-2025-58760 is a path traversal vulnerability in Tautulli's /image API endpoint that allows unauthenticated attackers to read arbitrary files from the application server's filesystem. This can lead to exposure of sensitive configuration files and database contents, potentially enabling privilege escalation to administrative control. All Tautulli installations running version 2.15.3 or earlier are affected.
💻 Affected Systems
- Tautulli
📦 What is this software?
Tautulli by Tautulli
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control over Tautulli, access Plex Media Server tokens and connection details, and potentially compromise the entire media server environment.
Likely Case
Attackers exfiltrate sensitive configuration files and database contents, including hashed admin passwords and JWT tokens, leading to potential privilege escalation.
If Mitigated
Attackers can only access publicly available static images as intended by the /image endpoint functionality.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests using path traversal sequences like ../../../ to access files outside the intended directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.16.0
Vendor Advisory: https://github.com/Tautulli/Tautulli/security/advisories/GHSA-8g4r-8f3f-hghp
Restart Required: Yes
Instructions:
1. Backup your Tautulli configuration and database. 2. Update Tautulli to version 2.16.0 or later using your preferred update method (manual download, git pull, or package manager). 3. Restart the Tautulli service. 4. Verify the update was successful by checking the version in the web interface.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Tautulli to trusted IP addresses only using firewall rules.
iptables -A INPUT -p tcp --dport 8181 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j DROP
Reverse Proxy Authentication
allPlace Tautulli behind a reverse proxy that requires authentication before reaching the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tautulli from untrusted networks
- Monitor for suspicious file access patterns and implement file integrity monitoring on critical Tautulli files
🔍 How to Verify
Check if Vulnerable:
Check if Tautulli version is 2.15.3 or earlier via the web interface Settings > General > About, or attempt to access /image endpoint with path traversal payloads.Check Version:
Check Tautulli web interface at http://your-server:8181/settings#about or view tautulli.log for version informationVerify Fix Applied:
Verify version is 2.16.0 or later in Settings > General > About, and test that path traversal attempts to the /image endpoint now return errors or are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in tautulli.log, especially requests to /image endpoint containing ../ sequences or attempts to access config.ini, tautulli.db, or other sensitive files
Network Indicators:
- HTTP requests to /image endpoint with path traversal payloads (e.g., GET /image/../../../etc/passwd)
SIEM Query:
source="tautulli.log" AND "GET /image" AND ("../" OR "..\" OR "%2e%2e%2f")