CVE-2025-48067

EPSS 0.25%
Veröffentlicht 10.06.2025 15:19:44
Zuletzt bearbeitet 12.08.2025 13:44:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OctoPrint vulnerable to possible file extraction via upload endpoints

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability is fixed in 1.11.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Octoprint ≫ Octoprint Version < 1.11.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.162

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.6	2.1	2.5	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2

Vendor Advisory

https://github.com/OctoPrint/OctoPrint/commit/9984b20773f5895a432f965b759999b16c57f7d8

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-48067

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48067

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48067

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-48067