blakeblackshear/frigate v0.17.2

0.17.2 Release

on GitHub

This is a maintenance release for Frigate 0.17 that includes fixes and minor changes.

Images

• ghcr.io/blakeblackshear/frigate:0.17.2
• ghcr.io/blakeblackshear/frigate:0.17.2-standard-arm64
• ghcr.io/blakeblackshear/frigate:0.17.2-tensorrt
• ghcr.io/blakeblackshear/frigate:0.17.2-rk
• ghcr.io/blakeblackshear/frigate:0.17.2-rocm
• ghcr.io/blakeblackshear/frigate:0.17.2-tensorrt-jp6
• ghcr.io/blakeblackshear/frigate:0.17.2-synaptics

What's Changed

Security Advisories

These advisories impact users with publicly exposed instances with no authentication and users with viewer roles where it is important to restrict access to some cameras.

• go2rtc WebSocket live stream camera access bypass (role-restricted users)
• Incomplete patch of CVE-2025-62382: image_path backslash-separator bypass of pathvalidate.sanitize_filepath + startswith(CLIPS_DIR) reaches shutil.copy arbitrary host-file read
• Incomplete patch of CVE-2026-25643: go2rtc exec:/echo:/expr: prefix block is bypassed when a stream value is a YAML mapping with a url key (RCE + container escape)
• RTSP credentials leak to viewer role via nginx proxy_cache
• Authenticated Admin Can Achieve RCE via go2rtc Stream API — exec: Filter Not Enforced at API Layer
• Authenticated viewer can read /api/logs/frigate and /api/logs/nginx, exposing the auto-generated admin password and camera RTSP/ONVIF credentials (viewer-to-admin privilege escalation)
• Camera ACL bypass via Nginx static locations allows authenticated users to access recordings from unauthorized cameras
• Viewer-Role User Can Access go2rtc Internal API to obtain sensitive information
• WebSocket Missing Authorization — Viewer Can Execute Admin-Only Operations

Notable Changes

• Exports can optionally include recording segment information as chapters in mp4 metadata
• Performance improvements when displaying previews in the live page

All Commits

• Update docs for DEIMv2 support by @NickM-27 in #22598
• Add role-based auth to websocket message handler by @hawkeye217 in #22710
• Update MemryX section documentation by @abinila4 in #22712
• Memryx docs update by @abinila4 in #22746
• Docs update by @hawkeye217 in #22864
• Update restream.md docs and clarify output config by @Feni85 in #22860
• Fix broken docs links with hash fragments that resolve wrong on reload by @hawkeye217 in #22925
• Fix yolonas colab notebook by @hawkeye217 in #22936
• Fixes by @hawkeye217 in #23235
• Add metadata for creation time in recordings / exports by @NickM-27 in #23239
• Fix admin response cache leak to non-admin users via nginx proxy_cache by @hawkeye217 in #23261
• Docs update by @hawkeye217 in #23280
• Docs update by @hawkeye217 in #23282
• Filter motion review by allowed cameras by @hawkeye217 in #23294
• Add ability to control chapters set on MP4 Export by @NickM-27 in #23310
• Chapter tweaks by @NickM-27 in #23440
• Catch edge cases in security protections by @NickM-27 in #23493
• Offload preview encoding and Plus upload off the API event loop by @hawkeye217 in #23552
• Fix cache control header for current hour preview mp4s by @hawkeye217 in #23553
• Allow non-admin users to use PTZ controls for cameras they have access to by @hawkeye217 in #23578

New Contributors

• @Feni85 made their first contribution in #22860

Full Changelog: v0.17.1...v0.17.2