ghsa-49mj-x8jp-qvfc
Vulnerability from github
Published
2025-09-09 19:22
Modified
2025-09-18 18:32
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
Details

Impact

OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.

If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.

Patches

The vulnerability will be patched in version 1.11.3.

Workaround

Until the patch has been applied, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders (i.e. {__filename}, {__filepath}, {filename}, {path}, etc -- refer to the events documentation for a full list) should disable those by setting their enabled property to False or unchecking the "Enabled" checkbox in the GUI based Event Manager.

Alternatively, OctoPrint administrators should set feature.enforceReallyUniversalFilenames to true in config.yaml and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files (e.g. those that contain a ; in their name followed by a command).

As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by @prabhatverma47.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "octoprint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T19:22:22Z",
    "nvd_published_at": "2025-09-09T20:15:48Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nOctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an **authenticated** attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.\n\nIf no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.\n\n### Patches\n\nThe vulnerability will be patched in version 1.11.3.\n\n### Workaround\n\nUntil the patch has been applied, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders (i.e. `{__filename}`, `{__filepath}`, `{filename}`, `{path}`, etc -- refer to [the events documentation](https://docs.octoprint.org/en/master/events/index.html#placeholders) for a full list) should disable those by setting their `enabled` property to `False` or unchecking the \"Enabled\" checkbox in the GUI based Event Manager.\n\nAlternatively, OctoPrint administrators should set `feature.enforceReallyUniversalFilenames` to `true` in `config.yaml` and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files (e.g. those that contain a `;` in their name followed by a command).\n\nAs always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by @prabhatverma47.",
  "id": "GHSA-49mj-x8jp-qvfc",
  "modified": "2025-09-18T18:32:10Z",
  "published": "2025-09-09T19:22:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/be4201ef58d9a7c03593252398c16eada90a258b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/c3a940962f4658a8e035a00388781b1cbd768841"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OctoPrint/OctoPrint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.