Medium severity6.8NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-32874
CVE-2024-32874
Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of secure_filename().
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
frigatePyPI | < 0.13.2 | 0.13.2 |
Patches
1cc851555e402Security improvement: ensure user provided file names don't exceed max length (#11129)
1 file changed · +33 −2
frigate/api/media.py+33 −2 modified@@ -392,7 +392,17 @@ def recording_clip(camera_name, start_ts, end_ts): if clip.end_time > end_ts: playlist_lines.append(f"outpoint {int(end_ts - clip.start_time)}") - file_name = secure_filename(f"clip_{camera_name}_{start_ts}-{end_ts}.mp4") + file_name = f"clip_{camera_name}_{start_ts}-{end_ts}.mp4" + + if len(file_name) > 1000: + return make_response( + jsonify( + {"success": False, "message": "Filename exceeded max length of 1000"} + ), + 403, + ) + + file_name = secure_filename(file_name) path = os.path.join(CACHE_DIR, file_name) if not os.path.exists(path): @@ -1167,7 +1177,20 @@ def preview_gif(camera_name: str, start_ts, end_ts, max_cache_age=2592000): @MediaBp.route("/<camera_name>/start/<int:start_ts>/end/<int:end_ts>/preview.mp4") @MediaBp.route("/<camera_name>/start/<float:start_ts>/end/<float:end_ts>/preview.mp4") def preview_mp4(camera_name: str, start_ts, end_ts): - file_name = secure_filename(f"clip_{camera_name}_{start_ts}-{end_ts}.mp4") + file_name = f"clip_{camera_name}_{start_ts}-{end_ts}.mp4" + + if len(file_name) > 1000: + return make_response( + jsonify( + { + "success": False, + "message": "Filename exceeded max length of 1000 characters.", + } + ), + 403, + ) + + file_name = secure_filename(file_name) path = os.path.join(CACHE_DIR, file_name) if datetime.fromtimestamp(start_ts) < datetime.now().replace(minute=0, second=0): @@ -1337,6 +1360,14 @@ def review_preview(id: str): @MediaBp.route("/preview/<file_name>/thumbnail.webp") def preview_thumbnail(file_name: str): """Get a thumbnail from the cached preview frames.""" + if len(file_name) > 1000: + return make_response( + jsonify( + {"success": False, "message": "Filename exceeded max length of 1000"} + ), + 403, + ) + safe_file_name_current = secure_filename(file_name) preview_dir = os.path.join(CACHE_DIR, "preview_frames")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-w4h6-9wrp-v5jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32874ghsaADVISORY
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/blob/d7ae0eedf89e14f297093ac5c8042862034cbaeb/frigate/api/media.pyghsaWEB
- github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442nvdWEB
- github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jqnvdWEB
News mentions
0No linked articles in our index yet.