CVE-2025-62382 is an external control of file name or path vulnerability (CWE-73) affecting Frigate, a network video recorder software that performs real-time local object detection for IP cameras. In versions prior to 0.16.2, the export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. The nominated path is copied verbatim into the publicly served clips directory, which is accessible over the network. This behavior allows a low-privilege user with API access to exploit a race condition during the background exporter's file copying process to read arbitrary files on the host system. The attacker can thus exfiltrate sensitive data such as configuration files, secrets, or user data stored on the appliance. The vulnerability violates the principle of least privilege by allowing the export subsystem to access arbitrary filesystem locations based on user input. Exploitation does not require user interaction but does require authentication and API access. The vulnerability is fixed in Frigate version 0.16.2. The CVSS v3.1 score is 7.7 (high severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact. No known exploits are currently reported in the wild.

For European organizations deploying Frigate as part of their IP camera surveillance infrastructure, this vulnerability poses a significant confidentiality risk. Attackers with low-privilege API access can leverage this flaw to read arbitrary files on the host system, potentially exposing sensitive configuration details, authentication secrets, or personal data. This could lead to further compromise of the surveillance system or lateral movement within the network. Given the critical nature of video surveillance in sectors such as government, critical infrastructure, transportation, and corporate security, unauthorized data disclosure could undermine operational security and privacy compliance obligations under regulations like GDPR. Although the vulnerability does not affect system integrity or availability directly, the exposure of sensitive data can facilitate more severe attacks. The requirement for authentication limits exposure to insiders or compromised accounts, but the ease of exploitation and the potential value of the data make this a high-risk issue for affected deployments.

European organizations should immediately upgrade all Frigate installations to version 0.16.2 or later, where this vulnerability is fixed. Until upgrades can be applied, restrict API access strictly to trusted and authenticated users, employing strong authentication mechanisms and network segmentation to limit exposure. Implement monitoring and alerting on unusual API export requests or file access patterns that could indicate exploitation attempts. Review and harden filesystem permissions on the host to minimize sensitive file exposure. Consider deploying Web Application Firewalls (WAFs) or API gateways that can detect and block suspicious path traversal or file access attempts. Conduct regular audits of Frigate configurations and logs to detect unauthorized activity. Finally, educate operators about the risks of exporting video thumbnails and enforce the principle of least privilege in user roles and permissions within the Frigate system.