CVE-2025-62382

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-62382
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-62382.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-62382
Aliases
  • GHSA-8gv4-5jr9-v96j
Published
2025-10-15T17:07:56.413Z
Modified
2025-12-02T20:16:54.730287Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Frigate Vulnerable to Arbitrary File Read via Export Thumbnail "image_path" parameter
Details

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. Because that path is copied verbatim into the publicly served clips directory, the feature can be abused to read arbitrary files that reside on the host running Frigate. In practice, a low-privilege user with API access can pivot from viewing camera footage to exfiltrating sensitive configuration files, secrets, or user data from the appliance itself. This behavior violates the principle of least privilege for the export subsystem and turns a convenience feature into a direct information disclosure vector, with exploitation hinging on a short race window while the background exporter copies the chosen file into place before cleanup runs. This vulnerability is fixed in 0.16.2.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62382.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-73"
    ]
}
References

Affected packages

Git / github.com/blakeblackshear/frigate

Affected ranges

Type
GIT
Repo
https://github.com/blakeblackshear/frigate
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4d582062fba09f69fb40658fbe02b4f527dc46af

Affected versions

0.*

0.1.2

v0.*

v0.0.1
v0.1.0
v0.1.1
v0.10.0
v0.10.1
v0.11.0
v0.11.0-beta2
v0.11.0-beta3
v0.11.0-beta4
v0.11.0-beta5
v0.11.0-beta6
v0.11.0-beta7
v0.11.0-rc1
v0.11.0-rc2
v0.11.0-rc3
v0.11.1
v0.12.0
v0.12.0-beta1
v0.12.0-beta10
v0.12.0-beta2
v0.12.0-beta3
v0.12.0-beta4
v0.12.0-beta5
v0.12.0-beta6
v0.12.0-beta7
v0.12.0-beta8
v0.12.0-beta9
v0.12.0-rc1
v0.12.0-rc2
v0.12.1
v0.13.0
v0.13.0-beta1
v0.13.0-beta2
v0.13.0-beta3
v0.13.0-beta4
v0.13.0-beta5
v0.13.0-beta6
v0.13.0-beta7
v0.13.0-rc1
v0.13.1
v0.13.2
v0.14.0
v0.14.0-beta1
v0.14.0-beta2
v0.14.0-beta3
v0.14.0-beta4
v0.14.0-rc1
v0.14.0-rc2
v0.14.1
v0.15.0
v0.15.0-beta1
v0.15.0-beta2
v0.15.0-beta3
v0.15.0-beta4
v0.15.0-beta5
v0.15.0-beta6
v0.15.0-beta7
v0.15.0-rc1
v0.15.0-rc2
v0.15.1
v0.15.2
v0.16.0
v0.16.0-beta1
v0.16.0-beta2
v0.16.0-beta3
v0.16.0-beta4
v0.16.0-rc1
v0.16.0-rc2
v0.16.0-rc3
v0.16.0-rc4
v0.16.1
v0.2.0
v0.2.0-beta
v0.2.1
v0.2.2
v0.2.2-beta
v0.3.0
v0.5.0
v0.5.0-rc2
v0.5.0-rc4
v0.5.1
v0.5.2
v0.6.0
v0.6.0-rc1
v0.6.0-rc2
v0.6.0-rc3
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.0-beta1
v0.9.0-beta2
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.0-rc4
v0.9.0-rc5
v0.9.0-rc6
v0.9.1
v0.9.2
v0.9.3
v0.9.4