CVE-2025-58180
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octoprint | octoprint | to 1.11.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58180 is a high-severity remote code execution vulnerability in OctoPrint versions up to 1.11.2. It occurs because OctoPrint allows authenticated users to upload files with specially crafted filenames. If these filenames are used as parameters in system event handler commands and those events are triggered, an attacker can execute arbitrary commands on the host system. The vulnerability exploits improper sanitization of filenames and unsafe handling of these filenames in system commands. If no event handlers use filename-based placeholders in system commands, the vulnerability has no impact. [1]
How can this vulnerability impact me? :
If you run a vulnerable version of OctoPrint (up to 1.11.2) and have configured event handlers that execute system commands using uploaded filenames as parameters, an authenticated attacker can upload a file with a malicious filename to execute arbitrary commands on your system. This can lead to full compromise of the host running OctoPrint, affecting confidentiality, integrity, and availability of your system. However, if you do not have such event handlers configured, the vulnerability does not affect you. Mitigations include upgrading to OctoPrint 1.11.3, disabling event handlers that use filename placeholders, enforcing stricter filename validation, and restricting access to trusted users and networks. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your OctoPrint instance is running a vulnerable version (up to and including 1.11.2) and if any event handlers are configured to execute system commands that include filename-based placeholders such as {__filename}, {__filepath}, {filename}, or {path}. You should also look for suspicious uploaded files with specially crafted filenames containing unsafe characters like semicolons or shell metacharacters. There are no specific network detection commands provided, but administrators should audit event handlers in the Event Manager GUI or configuration files and review uploaded files for suspicious names. Additionally, monitoring for unexpected command executions triggered by events could help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OctoPrint to version 1.11.3 where the vulnerability is patched. Until upgrading, disable any event handlers that use filename-based placeholders by setting their enabled property to false or disabling them via the Event Manager GUI. Alternatively, set `feature.enforceReallyUniversalFilenames` to true in the config.yaml file and restart OctoPrint, then review and delete any suspicious uploaded files. Additionally, avoid exposing OctoPrint instances to hostile networks such as the public internet and restrict authenticated user access carefully. In version 1.11.3, configure system event commands to explicitly specify the shell mode parameter to reduce risk, and adapt commands to run without shell mode where possible. [1, 4]