Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-33126

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 day ago

Frigate has SSRF vulnerability in /ffprobe endpoint

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.

References

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-j6g3-3j3q-c2xv x_refsource_CONFIRM
https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3 x_refsource_MISC

Affected products

frigate

==< 0.16.3

Matching in nixpkgs

pkgs.frigate

NVR with realtime local object detection for IP cameras

nixos-unstable 0.17.0
- nixpkgs-unstable 0.17.0
- nixos-unstable-small 0.17.0
nixos-25.11 0.16.3
- nixos-25.11-small 0.16.3
- nixpkgs-25.11-darwin 0.16.3

pkgs.pkgsRocm.frigate

NVR with realtime local object detection for IP cameras

nixos-unstable 0.17.0
- nixpkgs-unstable 0.17.0
- nixos-unstable-small 0.17.0
nixos-25.11 0.16.3
- nixos-25.11-small 0.16.3
- nixpkgs-25.11-darwin 0.16.3

pkgs.home-assistant-custom-components.frigate

Provides Home Assistant integration to interface with a separately running Frigate service

nixos-unstable 5.14.2
- nixpkgs-unstable 5.14.2
- nixos-unstable-small 5.14.2
nixos-25.11 5.11.0
- nixos-25.11-small 5.11.0
- nixpkgs-25.11-darwin 5.11.0

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@presto8 Preston Hunt <me@prestonhunt.com>