GHSA-QXVG-H7Q2-HCXH is a critical-severity path traversal vulnerability in motioneye (pip), affecting versions < 0.44.0. It is fixed in 0.44.0.
Summary A multi‑stage chain in motionEye leads to remote code execution. The chain combines: Arbitrary file read (LFI) via the picture download endpoint for local motion cameras using absolute paths. Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes. Unsafe config restore that extracts attacker‑controlled tarballs into CONFPATH. Unauthenticated action execution via /action/<id>/<action>. If the normal user password is unset, the chain becomes unauthenticated RCE. If a normal password exists, a normal user can still achieve admin escalation and RCE. Affected Code (motionEye repo) 1) LFI (absolute path), picture/<id>/download Files: motioneye/motioneye/handlers/picture.py → download() (local motion camera branch) motioneye/motioneye/mediafiles.py → getmediacontent() Issue: getmediacontent() only blocks .. and then joins targetdir with path. Absolute paths (e.g. /etc/hosts) bypass the join and are read directly. 2) Pass‑the‑hash admin auth File: motioneye/motioneye/handlers/base.py → getcurrentuser() Issue: The signature check allows signatures computed using the admin password hash (SHA1) as the key. If the hash is leaked (via LFI), admin access can be obtained without the plaintext password. 3) Unsafe restore (tar extraction) File: motioneye/motioneye/config.py → restore() Issue: tar zxC CONFPATH is used on user‑supplied data without sanitizing entries. A crafted tar can drop executable files into CONFPATH. 4) Unauthenticated action execution File: motioneye/motioneye/handlers/action.py → post() Issue: No authentication decorator is present. It executes <action><cameraid> found in CONFPATH with subprocess.Popen. Exploit Chain (Detailed) Create or find a local motion camera id (local motion cameras are required for the vulnerable LFI path). LFI via picture download: Request: /picture/<id>/download/<absolutepath> Example: /picture/1/download/%2Fetc%2Fhosts Result: Arbitrary file read. Read admin hash from /etc/motioneye/motion.conf: Contains @adminpassword <SHA1HASH>. Pass‑the‑hash admin: Compute signature for /config/restore?username=admin using the hash as key. Admin access is accepted with hash‑based signatures. Restore malicious tar: Upload a tar containing lock<id> (or any action) as an executable. File is written into CONFPATH by restore. Trigger unauth action: POST /action/<id>/lock The server executes the injected file. Proof of Execution (Observed Output) In local testing, the injected action created a marker file: Verification command: Example output: Preconditions / Requirements At least one local motion camera exists (e.g., netcamurl, videodevice). picture/<id>/download is reachable: Unauth if @normalpassword is empty (default in some installs). Auth required if normal password is set (attacker needs normal creds). Impact Unauth RCE (normal password unset). Authenticated RCE (normal user → admin → RCE). Arbitrary file read on server filesystem. Full compromise of motionEye process account. Suggested Fixes Block absolute paths in getmediacontent() and getmedia_path(). Remove hash‑based signature acceptance; only accept signatures computed with plaintext passwords. Harden restore: reject absolute paths, .., symlinks, non‑regular files. Require authentication on ActionHandler (admin‑only).
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
GHSA-QXVG-H7Q2-HCXH has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.44.0). Upgrading removes the vulnerable code path.
pip
motioneye (< 0.44.0)motioneye → 0.44.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-QXVG-H7Q2-HCXH is reachable in your applications. Explore open-source security for your team.
See if GHSA-QXVG-H7Q2-HCXH is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-QXVG-H7Q2-HCXH in your environment →Upgrade motioneye to 0.44.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-QXVG-H7Q2-HCXH is a critical-severity path traversal vulnerability in motioneye (pip), affecting versions < 0.44.0. It is fixed in 0.44.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
GHSA-QXVG-H7Q2-HCXH has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
motioneye (pip) versions < 0.44.0 is affected.
Yes. GHSA-QXVG-H7Q2-HCXH is fixed in 0.44.0. Upgrade to this version or later.
Whether GHSA-QXVG-H7Q2-HCXH is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade motioneye to 0.44.0 or later.