Name of the Vulnerable Software and Affected Versions pi video recording versions (all)

Description The issue concerns insufficient input validation, allowing for Remote Code Execution. An attacker can execute arbitrary code on the server through the "/api/record/start" endpoint. For example, using curl with a specially crafted JSON payload that includes malicious commands, such as {"filename": " || touch /tmp/worked;"}, can create a file in the /tmp/ directory, demonstrating the vulnerability.

Recommendations For all versions, consider using an alternative module until a fix is made available. As a temporary workaround, consider restricting access to the "/api/record/start" endpoint to minimize the risk of exploitation. Avoid using the filename variable in the affected API endpoint until the issue is resolved.