Securing our home labs: Frigate code review

GitHub Security Lab conducted an analysis of the open-source project Frigate, a network video recorder with local object detection and Home Assistant integration, as part of their ongoing efforts to enhance software ecosystem security. During their review, they identified several vulnerabilities, including insecure deserialization and cross-site request forgery (CSRF), which could allow remote code execution (RCE) even when the Frigate instance is not directly exposed to the internet. The identified vulnerabilities were related to the deserialization of user-controlled data and the lack of authentication and CSRF protections in Frigate's API, enabling potential attacks through malicious configurations. The researchers demonstrated a proof of concept for exploiting these vulnerabilities, emphasizing the need for improved security measures. All identified vulnerabilities have been patched in the latest beta release (0.13.0 Beta 3), and advisories have been published to encourage users to update their systems.