CVE-2025-48067
📋 TL;DR
OctoPrint versions up to 1.11.1 contain a file exfiltration vulnerability where authenticated users with FILE_UPLOAD permission can move readable host files into the upload folder, making them downloadable. This affects all OctoPrint installations running vulnerable versions. The vulnerability allows attackers to access sensitive files the OctoPrint process can read.
💻 Affected Systems
- OctoPrint
📦 What is this software?
Octoprint by Octoprint
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive system files, configuration files, SSH keys, or other credentials stored on the host, potentially leading to full system compromise.
Likely Case
Authenticated users with FILE_UPLOAD permission could access sensitive OctoPrint configuration files, logs, or other application data they shouldn't normally access.
If Mitigated
With proper permission controls and network segmentation, impact is limited to files OctoPrint can read, which should be minimal in well-configured environments.
🎯 Exploit Status
Exploitation requires authenticated access with FILE_UPLOAD permission. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.2
Vendor Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-m9jh-jf9h-x3h2
Restart Required: Yes
Instructions:
1. Backup your OctoPrint configuration. 2. Update OctoPrint to version 1.11.2 or later using the built-in updater or manual installation. 3. Restart the OctoPrint service.
🔧 Temporary Workarounds
Restrict FILE_UPLOAD permissions
allRemove FILE_UPLOAD permission from all users except absolutely necessary administrators.
Use OctoPrint's user management interface to modify permissions
Implement network segmentation
allIsolate OctoPrint instance from sensitive systems and limit network access.
🧯 If You Can't Patch
- Restrict FILE_UPLOAD permissions to minimal necessary users only
- Implement strict network access controls and isolate OctoPrint from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check OctoPrint version in web interface or via command line. If version is 1.11.1 or earlier, system is vulnerable.Check Version:
octoprint --version or check web interface About pageVerify Fix Applied:
Verify OctoPrint version is 1.11.2 or later. Test that users with FILE_UPLOAD permission cannot move files outside designated upload areas.📡 Detection & Monitoring
Log Indicators:
- Unusual file movement operations in upload logs
- Multiple file operations from single user in short time
Network Indicators:
- Unusual download patterns from OctoPrint upload endpoints
SIEM Query:
source="octoprint.log" AND ("move" OR "rename") AND NOT path CONTAINS "/uploads/"