CVE-2025-62382
📋 TL;DR
CVE-2025-62382 is a path traversal vulnerability in Frigate NVR that allows authenticated users to read arbitrary files on the host system. Attackers can exfiltrate sensitive configuration files, secrets, or user data by abusing the video export thumbnail feature. This affects all Frigate installations prior to version 0.16.2.
💻 Affected Systems
- Frigate NVR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Frigate appliance with exfiltration of all sensitive files including secrets, configuration, and user data, potentially leading to lateral movement in the network.
Likely Case
Exfiltration of sensitive configuration files and secrets from the Frigate host, compromising the NVR system and potentially exposing camera credentials.
If Mitigated
Limited impact with proper network segmentation and strict access controls limiting authenticated user access.
🎯 Exploit Status
Exploitation requires authenticated API access and involves a race condition during file copying. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.16.2
Vendor Advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-8gv4-5jr9-v96j
Restart Required: Yes
Instructions:
1. Backup Frigate configuration. 2. Update Frigate to version 0.16.2 or later using your deployment method (Docker, manual install, etc.). 3. Restart Frigate service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit access to Frigate API to trusted users only using network controls or authentication middleware.
Use firewall rules to restrict access: iptables -A INPUT -p tcp --dport 5000 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Disable Export Feature
allDisable the export workflow feature if not required.
Edit Frigate config.yml and remove or comment export-related configurations
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Frigate from sensitive systems
- Apply principle of least privilege to Frigate service account and file permissions
🔍 How to Verify
Check if Vulnerable:
Check Frigate version: docker exec frigate cat /VERSION or check web UI. If version is below 0.16.2, system is vulnerable.Check Version:
docker exec frigate cat /VERSION 2>/dev/null || grep version /config/config.ymlVerify Fix Applied:
Verify Frigate version is 0.16.2 or higher. Test export functionality with controlled paths to ensure path traversal is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in export logs
- Multiple failed export attempts with unusual paths
- Access to sensitive file paths in system logs
Network Indicators:
- Unusual outbound traffic from Frigate host
- Large data transfers from Frigate API endpoints
SIEM Query:
source="frigate" AND (event="export" AND path CONTAINS "../") OR (event="file_access" AND path NOT LIKE "/media/%")