CVE-2024-32977: OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled

May 14, 2024

OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, by spoofing their IP via the X-Forwarded-For header.

If autologin is not enabled, this vulnerability does not have any impact.

References

github.com/OctoPrint/OctoPrint
github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
github.com/advisories/GHSA-2vjq-hg5w-5gm7
nvd.nist.gov/vuln/detail/CVE-2024-32977

Detect and mitigate CVE-2024-32977 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →