GHSA-RW9Q-97R9-8GVH

Vulnerability from github – Published: 2026-06-23 18:32 – Updated: 2026-06-23 18:32
VLAI
Summary
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Details

Summary

mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.

The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join(). When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado's built-in path validation by overriding the relevant safety checks.

As a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process.

Details

The issue exists in the media playback and download functionality.

The filename parameter is passed to mediafiles.get_media_path():

def get_media_path(camera_config, path, media_type):
    target_dir = camera_config.get('target_dir')
    full_path = os.path.join(target_dir, path)
    return full_path

When path is an absolute path (e.g. /etc/motioneye/motion.conf), Python's os.path.join() discards target_dir entirely and returns the absolute path as-is. This would normally be caught by Tornado's StaticFileHandler path validation, but MoviePlaybackHandler explicitly overrides both safety checks (movie_playback.py lines 111-115):

def get_absolute_path(self, root, path):
    return path

def validate_absolute_path(self, root, absolute_path):
    return absolute_path

This allows reading any file on the filesystem that the motionEye process can access.

The same path traversal exists in the movie download, picture download, and picture preview handlers:

  • GET /movie//download/
  • GET /picture//download/
  • GET /picture//preview/

PoC

GET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1
Host: target:8765

Fix

Do not allow absolute paths supplied by user input.

Validate that the fully resolved canonical path remains within the configured camera media directory before serving a file.

Additionally, Tornado’s built-in path validation should not be bypassed unless equivalent validation is performed by motionEye.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "motioneye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T18:32:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nmEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.\n\nThe affected handlers accept a user-controlled filename parameter and construct filesystem paths using `os.path.join()`. When an absolute path is supplied, Python discards the configured media directory and returns the attacker-supplied path directly. The application then bypasses Tornado\u0027s built-in path validation by overriding the relevant safety checks.\n\nAs a result, an attacker can access files outside of the configured camera media directory, subject to the permissions of the motionEye process.\n\n### Details\n\nThe issue exists in the media playback and download functionality.\n\nThe filename parameter is passed to `mediafiles.get_media_path()`:\n\n```python\ndef get_media_path(camera_config, path, media_type):\n    target_dir = camera_config.get(\u0027target_dir\u0027)\n    full_path = os.path.join(target_dir, path)\n    return full_path\n```\n\nWhen path is an absolute path (e.g. `/etc/motioneye/motion.conf`), Python\u0027s `os.path.join()` discards `target_dir` entirely and returns the absolute path as-is. This would normally be caught by Tornado\u0027s StaticFileHandler path validation, but MoviePlaybackHandler explicitly overrides both safety checks (`movie_playback.py` lines 111-115):\n\n```\ndef get_absolute_path(self, root, path):\n    return path\n\ndef validate_absolute_path(self, root, absolute_path):\n    return absolute_path\n```\nThis allows reading any file on the filesystem that the motionEye process can access.\n\nThe same path traversal exists in the movie download, picture download, and picture preview handlers:\n\n- GET /movie/\u003ccamera_id\u003e/download/\u003cfilename\u003e\n- GET /picture/\u003ccamera_id\u003e/download/\u003cfilename\u003e\n- GET /picture/\u003ccamera_id\u003e/preview/\u003cfilename\u003e\n\n# PoC\n\n```\nGET /movie/1/playback//etc/motioneye/motion.conf HTTP/1.1\nHost: target:8765\n```\n\n# Fix\n\nDo not allow absolute paths supplied by user input.\n\nValidate that the fully resolved canonical path remains within the configured camera media directory before serving a file.\n\nAdditionally, Tornado\u2019s built-in path validation should not be bypassed unless equivalent validation is performed by motionEye.",
  "id": "GHSA-rw9q-97r9-8gvh",
  "modified": "2026-06-23T18:32:46Z",
  "published": "2026-06-23T18:32:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/motioneye-project/motioneye/security/advisories/GHSA-rw9q-97r9-8gvh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/motioneye-project/motioneye"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "motionEye\u0027s Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.