CVE-2025-64187
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octoprint | octoprint | to 1.11.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OctoPrint versions 1.11.3 and below allows an attacker to inject arbitrary HTML and JavaScript into Action Command notifications and popup prompts generated by the printer's web interface. By convincing a user to print a specially crafted file, the attacker can exploit this to disrupt ongoing prints, extract information including sensitive configuration settings (if the user has the necessary permissions), or perform other actions on behalf of the targeted user within the OctoPrint instance.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to disrupt your 3D printing process, steal sensitive information such as configuration settings, and perform unauthorized actions within your OctoPrint instance if you have the required permissions. This could lead to loss of print jobs, exposure of sensitive data, and potential misuse of your printer controls.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OctoPrint to version 1.11.4 or later, as this version contains the fix for the vulnerability. Avoid printing files from untrusted sources to reduce the risk of exploitation.