Frigate unsafe deserialization in `load_config_with_no_duplicates` of `frigate/util/builtin.py`
CVE-2023-45672

7.5HIGH

Key Information:

Vendor: blakeblackshear
Status: frigate
Vendor: CVE Published:; 30 October 2023

🔔 Create blakeblackshear Vulnerability Alert

What is CVE-2023-45672?

Frigate, an open-source network video recorder, suffers from an unsafe deserialization vulnerability that can lead to unauthenticated remote code execution. This issue exists in the endpoints responsible for saving configurations and can be exploited if an attacker tricks an authenticated user into clicking a malicious link targeted at their Frigate server. The attack leverages the lack of input sanitization in the configuration-loading code, allowing the execution of arbitrary payloads. Frigate versions prior to 0.13.0 Beta 3 are affected, and users are advised to update to the latest version to mitigate this risk.