CVE-2025-47782: 
Python vulnerability analysis and mitigation

CVE-2025-47782 affects motionEye, an online interface for the software motion, a video surveillance program with motion detection. The vulnerability was discovered on May 13, 2025, and affects versions 0.43.1b1 through 0.43.1b3. The issue allows an attacker with motionEye admin user credentials to execute arbitrary commands within a non-interactive shell as the motionEye run user (motion by default) (GitHub Advisory).

The vulnerability exists in the addcamera function where unsafe command execution occurs in the V4L2 control. The issue stems from improper handling of the camera device path in the config/add/addcamera motionEye web API. The vulnerability manifests through a function call stack involving post addcamera, config.addcamera, v4l2ctl.listresolutions, utils.callsubprocess, and subprocess.run. The core issue lies in the way the application handles single quotes in the command string, allowing command substitution and remote command injection (GitHub Issue).

The vulnerability allows authenticated attackers with admin credentials to execute arbitrary UNIX shell code within a non-interactive shell as the executing user of the motionEye instance. This could potentially lead to complete system compromise within the context of the motion user (GitHub Advisory).

The vulnerability has been patched in motionEye version 0.43.1b4. As a workaround, users can apply a manual patch that replaces the literal single quotes in the created cmd string with a shlex.quoted input device. The patch is available through the GitHub pull request #3143 (GitHub Advisory, GitHub PR).