PyPI: motioneye

CVE-2025-60787

Safety vulnerability ID: SFTY-20251103-96930

Safety legacy ID: pyup.io-81064

Affected versions of the motioneye package are vulnerable to Command Injection due to unsanitized filename configuration fields being written into Motion configuration files and later interpreted by the Motion process. The Web UI’s image_file_name and movie_filename fields are persisted by ConfigHandler.set_config() via config.py into /etc/motioneye/camera-*.conf, and when motionctl.restart() reloads Motion, shell metacharacters (for example $() or backticks) in those values are executed because they are treated as shell-expandable strings.

PythonPyPINVDNVDGitHubGHSA
Created at: Dec 27, 2025Updated at: Dec 27, 2025

Overview

motionEye vulnerable to RCE via unsanitized motion config parameter

Advisory

Affected versions of the motioneye package are vulnerable to Command Injection due to unsanitized filename configuration fields being written into Motion configuration files and later interpreted by the Motion process. The Web UI’s image_file_name and movie_filename fields are persisted by ConfigHandler.set_config() via config.py into /etc/motioneye/camera-*.conf, and when motionctl.restart() reloads Motion, shell metacharacters (for example $() or backticks) in those values are executed because they are treated as shell-expandable strings.

Affected Package

Affecting motioneye package, versions
<0.43.1b5

Also affects

---

How to Fix

Upgrade
motioneye
to
0.43.1b5
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more