Frigate Network Video Recorder Arbitrary File Read Vulnerability

A vulnerability in Frigate, a network video recorder (NVR) application, prior to version 0.16.2, allows authenticated users to read arbitrary files from the host filesystem. This issue arises because the export workflow permits users to specify any file path as the thumbnail source for video exports. The specified path is then copied directly into a publicly accessible directory for video clips, creating an opportunity to exfiltrate sensitive files such as configuration data, secrets, or user information. The vulnerability exploits a race condition, where the background export process can be timed to access the file before it is cleaned up, turning a benign feature into a significant information disclosure risk.

Impact

Successful exploitation leads to the unauthorized reading of sensitive files from the host system, with the exfiltrated data accessible to anyone with authenticated HTTP access to the Frigate instance.

Reproduction

To reproduce this vulnerability, authenticate to a Frigate instance and use the export feature to specify a path to a sensitive file as the thumbnail source. After initiating the export, quickly access the exported file through the public clips directory before it is deleted by the application.

Remediation

Users are advised to update Frigate to version 0.16.2 or later. Additionally, absolute paths should be rejected and an allowlist of Frigate-managed media directories should be enforced before copying files. Thumbnails could be stored outside the web-served directory unless intended for exposure.