CVE-2020-37049 in Frigate Professional
Summary
by MITRE • 01/31/2026
Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/31/2026
The vulnerability identified as CVE-2020-37049 represents a critical local buffer overflow flaw within Frigate version 3.36.0.9 that specifically targets the command line input field functionality. This vulnerability exists due to insufficient bounds checking mechanisms when processing user-supplied input through the command line interface, creating an exploitable condition that can be leveraged by malicious actors to execute arbitrary code on affected systems. The flaw manifests when the application fails to properly validate the length of input data entered through the command line, allowing attackers to exceed the allocated buffer space and overwrite adjacent memory locations.
The technical implementation of this vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions where insufficient bounds checking permits data to overwrite adjacent memory regions. The attack vector specifically exploits the command line parsing functionality within Frigate, where a carefully crafted input sequence can trigger the buffer overflow condition. When executed successfully, the overflow allows attackers to overwrite the return address on the stack or other critical memory locations, effectively redirecting program execution flow. The vulnerability's exploitation bypasses Data Execution Prevention mechanisms through techniques such as return-oriented programming or by overwriting function pointers, enabling attackers to execute malicious code with the privileges of the running application.
The operational impact of this vulnerability is significant as it provides attackers with a local code execution capability that can be leveraged for privilege escalation and system compromise. Attackers can utilize this vulnerability to launch malicious payloads such as calc.exe or other arbitrary executables, potentially leading to full system compromise. The vulnerability affects systems running Frigate 3.36.0.9 where the command line interface is accessible to unprivileged users, creating a persistent threat vector that can be exploited for lateral movement within networks. The attack requires local system access but does not require network connectivity, making it particularly dangerous in environments where local privilege escalation is a concern. This vulnerability also aligns with ATT&CK technique T1059.001, which covers command and scripting interpreter execution, as attackers can leverage the command line interface to execute malicious payloads.
Mitigation strategies for this vulnerability should prioritize immediate patching of affected Frigate installations to version 3.36.0.10 or later, which contains the necessary fixes to address the buffer overflow condition. System administrators should implement input validation controls that enforce strict bounds checking on all command line inputs and consider implementing additional security measures such as address space layout randomization and stack canaries to further protect against exploitation attempts. Network segmentation and privilege separation can help limit the potential impact of successful exploitation by reducing the attack surface and preventing unauthorized access to critical system resources. Additionally, monitoring for suspicious command line activity and implementing application whitelisting controls can provide additional layers of defense against exploitation attempts. Organizations should also conduct thorough security assessments of their Frigate deployments to identify any other potential vulnerabilities that may exist within the application's codebase.