CVE-2025-48067

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability is fixed in 1.11.2.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/OctoPrint/OctoPrint/commit/9984b20773f5895a432f965b759999b16c57f7d8
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.11.1 (incluida) contienen una vulnerabilidad que permite a un atacante con el permiso FILE_UPLOAD extraer archivos del host al que OctoPrint tiene acceso de lectura, trasladándolos a la carpeta de carga, desde donde se pueden descargar. Esta vulnerabilidad se corrigió en la versión 1.11.2.

10 Jun 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 16:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-48067

Mitre link : CVE-2025-48067

CVE.ORG link : CVE-2025-48067

JSON object : View

Products Affected

No product.

CWE

CWE-73

External Control of File Name or Path

5.4 /10