CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-48067: OctoPrint vulnerable to possible file extraction via upload endpoints

5.4 CVSS

Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability is fixed in 1.11.2.

Classification

CVE ID: CVE-2025-48067

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Problem Types

CWE-73: External Control of File Name or Path

Affected Products

Vendor: OctoPrint

Product: OctoPrint

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.61% (scored less or equal to compared to others)

EPSS Date: 2025-07-08 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48067
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2
https://github.com/OctoPrint/OctoPrint/commit/9984b20773f5895a432f965b759999b16c57f7d8

Timeline

2025-06-10 21:15:38 UTC
Github Advisory Database (PIP)

[OctoPrint] OctoPrint vulnerable to possible file extraction via upload endpoints
2025-06-10 23:40:15 UTC
CVE

OctoPrint vulnerable to possible file extraction via upload endpoints