CVE-2025-64187
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-07

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
OctoPrint provides a web interface for controlling consumer 3D printers. Versions 1.11.3 and below are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notifications and prompts popups generated by the printer. An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance. This issue is fixed in version 1.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-07
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-11-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64187
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
octoprint octoprint to 1.11.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OctoPrint versions 1.11.3 and below allows an attacker to inject arbitrary HTML and JavaScript into Action Command notifications and popup prompts generated by the printer's web interface. By convincing a user to print a specially crafted file, the attacker can exploit this to disrupt ongoing prints, extract information including sensitive configuration settings (if the user has the necessary permissions), or perform other actions on behalf of the targeted user within the OctoPrint instance.

Impact Analysis

The vulnerability can impact you by allowing an attacker to disrupt your 3D printing process, steal sensitive information such as configuration settings, and perform unauthorized actions within your OctoPrint instance if you have the required permissions. This could lead to loss of print jobs, exposure of sensitive data, and potential misuse of your printer controls.

Mitigation Strategies

Upgrade OctoPrint to version 1.11.4 or later, as this version contains the fix for the vulnerability. Avoid printing files from untrusted sources to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart