CVE-2025-60787: motionEye vulnerable to RCE via unsanitized motion config parameter

November 3, 2025

A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in configuration fields exposed via the Web UI. Because MotionEye writes user-supplied values directly into Motion configuration files without sanitization, attackers can inject shell syntax that is executed when the Motion process restarts. This issue enables full takeover of the MotionEye container and potentially the host environment (depending on container privileges).

References

github.com/advisories/GHSA-j945-qm58-4gjx
github.com/motioneye-project/motioneye
github.com/motioneye-project/motioneye/security/advisories/GHSA-j945-qm58-4gjx
github.com/prabhatverma47/motionEye-RCE-through-config-parameter
nvd.nist.gov/vuln/detail/CVE-2025-60787

Code Behaviors & Features

Detect and mitigate CVE-2025-60787 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →