CVE-2024-49377
📋 TL;DR
OctoPrint versions up to 1.10.2 contain reflected cross-site scripting (XSS) vulnerabilities in login and application key confirmation dialogs. Attackers can craft malicious links that, when clicked by victims, allow execution of arbitrary JavaScript in the context of the OctoPrint session, potentially enabling configuration manipulation, print interruption, or other malicious interactions. All OctoPrint users running vulnerable versions are affected.
💻 Affected Systems
- OctoPrint
📦 What is this software?
Octoprint by Octoprint
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of OctoPrint instance, modifies printer configurations, interrupts active prints, steals authentication credentials, or deploys persistent backdoors.
Likely Case
Attacker modifies printer settings, interrupts ongoing prints, or steals session cookies to gain unauthorized access.
If Mitigated
Limited impact due to network segmentation, with only local network users potentially affected and no sensitive data exposure.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is technically simple. No authentication required to trigger the vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.3
Vendor Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xvxq-g8hw-fx4g
Restart Required: Yes
Instructions:
1. Backup current OctoPrint configuration. 2. Update OctoPrint to version 1.10.3 or later using the built-in updater or manual installation. 3. Restart OctoPrint service. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Network Isolation
allRestrict OctoPrint web interface access to trusted local network only, blocking external internet access.
Configure firewall rules to block inbound traffic to OctoPrint port (default: 5000) from external networks
Reverse Proxy with WAF
linuxDeploy OctoPrint behind a reverse proxy with web application firewall rules to filter XSS payloads.
Configure nginx/apache reverse proxy with ModSecurity or similar WAF rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OctoPrint from untrusted networks
- Educate users to never click unsolicited links to the OctoPrint interface
🔍 How to Verify
Check if Vulnerable:
Check OctoPrint version in web interface Settings > About, or run: python -c "import octoprint; print(octoprint.__version__)"Check Version:
python -c "import octoprint; print(octoprint.__version__)"Verify Fix Applied:
Confirm version is 1.10.3 or higher. Test login page with basic XSS payloads like <script>alert('test')</script> in URL parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in login requests containing script tags or JavaScript code
- Multiple failed login attempts with suspicious parameters
Network Indicators:
- HTTP requests to login or appkey endpoints with encoded script tags in query parameters
- External IP addresses accessing OctoPrint login endpoints
SIEM Query:
source="octoprint.log" AND ("login" OR "appkey") AND ("<script" OR "javascript:" OR "%3Cscript")