CVE-2024-32874

MEDIUM

Frigate < 0.13.2 - Denial of Service via Large Unicode Filename

Title source: llm

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq

Patch x_refsource_misc

https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442

View Patch ZIP pw:eip

Scores

CVSS v3 6.8

EPSS 0.0012

EPSS Percentile 31.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

blakeblackshear/frigate <= 0.13.2

pypi/frigate 0 - 0.13.2PyPI

Published May 14, 2024

Tracked Since Feb 18, 2026