CVE-2025-47782: motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
Using a constructed (camera) device path with the config/add/add_camera motionEye web API allows an attacker with motionEye admin user credentials to execute any UNIX shell code within a non-interactive shell as executing user of the motionEye instance, motion by default.
References
- github.com/advisories/GHSA-g5mq-prx7-c588
- github.com/motioneye-project/motioneye
- github.com/motioneye-project/motioneye/issues/3142
- github.com/motioneye-project/motioneye/pull/3143
- github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588
- github.com/pypa/advisory-database/tree/main/vulns/motioneye/PYSEC-2025-39.yaml
- nvd.nist.gov/vuln/detail/CVE-2025-47782
Code Behaviors & Features
Detect and mitigate CVE-2025-47782 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →