CVE-2025-58180: OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
(updated )
OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.
If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/be4201ef58d9a7c03593252398c16eada90a258b
- github.com/OctoPrint/OctoPrint/commit/c3a940962f4658a8e035a00388781b1cbd768841
- github.com/OctoPrint/OctoPrint/releases/tag/1.11.3
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
- github.com/advisories/GHSA-49mj-x8jp-qvfc
- nvd.nist.gov/vuln/detail/CVE-2025-58180
Code Behaviors & Features
Detect and mitigate CVE-2025-58180 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →