CVE-2025-48067
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octoprint | octoprint | to 1.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48067 is a vulnerability in OctoPrint versions up to 1.11.1 that allows an attacker with FILE_UPLOAD permission to exfiltrate files from the host system. The attacker can exploit upload endpoints by crafting HTTP requests with internal-only form inputs to move arbitrary files that OctoPrint can read into the upload folder. Once moved, these files can be downloaded by the attacker, potentially exposing sensitive information such as configuration secrets or other system files. The vulnerability also allows removal of critical runtime files, which can impact system availability. This issue was fixed in version 1.11.2 by removing internal-only form inputs from upload requests. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with file upload privileges to access and download sensitive files from your host system that OctoPrint can read. This could lead to exposure of confidential information such as secrets stored in OctoPrint's configuration or other system files. Additionally, the attacker could remove critical runtime files, potentially causing availability issues or disruption of the OctoPrint service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious file upload activity to OctoPrint endpoints by users with FILE_UPLOAD permissions. Specifically, look for HTTP requests to upload endpoints such as /api/files/local, /api/files/sdcard, /api/languages, /plugin/backup/restore, and /plugin/pluginmanager/upload_file that include unusual internal-only form inputs or path traversal attempts. Commands to detect this could include using network monitoring tools like tcpdump or Wireshark to capture HTTP POST requests to these endpoints and inspecting the payload for suspicious parameters. For example, using curl or wget to simulate or detect uploads with unexpected form inputs. Additionally, reviewing OctoPrint server logs for debug messages about discarded parts with internal suffixes (if debug logging is enabled) can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OctoPrint to version 1.11.2 or later, where the vulnerability is fixed by removing internal-only form inputs from upload requests and adding checks to discard suspicious file parts. If upgrading immediately is not possible, restrict or disable FILE_UPLOAD permissions for untrusted users to prevent exploitation. Additionally, monitor and audit upload endpoints for suspicious activity and consider enabling debug logging to detect attempts to exploit the vulnerability. [1, 2]