CVE-2025-62169
📋 TL;DR
OctoPrint-SpoolManager plugin versions 1.7.7 and older (stable) and 1.8.0a2 and older (testing) have missing authentication and authorization checks in their APIs, allowing unauthorized access to spool management functions. This affects users running vulnerable plugin versions with OctoPrint, particularly those using versions older than 1.11.2 where the impact is greater.
💻 Affected Systems
- OctoPrint-SpoolManager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could manipulate spool data, potentially disrupting 3D printing operations, accessing sensitive metadata, or causing denial of service to printing workflows.
Likely Case
Unauthorized users accessing or modifying spool usage data, potentially affecting print job tracking and material management.
If Mitigated
With proper network segmentation and OctoPrint 1.11.2+, impact is limited to authenticated users within the local network.
🎯 Exploit Status
Exploitation requires network access to OctoPrint instance; no authentication needed for vulnerable API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Stable: 1.7.8, Testing: 1.8.0a3
Vendor Advisory: https://github.com/WildRikku/OctoPrint-SpoolManager/security/advisories/GHSA-2rrc-f24f-94f6
Restart Required: Yes
Instructions:
1. Access OctoPrint web interface. 2. Navigate to Plugin Manager. 3. Check for SpoolManager plugin updates. 4. Update to version 1.7.8 (stable) or 1.8.0a3 (testing). 5. Restart OctoPrint service.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to OctoPrint instance to trusted networks only
Update OctoPrint
linuxUpgrade OctoPrint to version 1.11.2 or newer to reduce vulnerability impact
sudo pip install --upgrade octoprint
🧯 If You Can't Patch
- Disable the SpoolManager plugin via OctoPrint Plugin Manager
- Implement strict network access controls and firewall rules to limit access to OctoPrint
🔍 How to Verify
Check if Vulnerable:
Check plugin version in OctoPrint web interface → Settings → Plugin Manager → SpoolManagerCheck Version:
grep -i spoolmanager /home/pi/.octoprint/logs/octoprint.log | tail -5Verify Fix Applied:
Confirm SpoolManager version is 1.7.8 or higher (stable) or 1.8.0a3 or higher (testing)📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to /plugin/spoolmanager endpoints
- Failed authentication attempts followed by successful spool operations
Network Indicators:
- HTTP requests to OctoPrint API endpoints without authentication headers
- Unusual spool-related API calls from unexpected IP addresses
SIEM Query:
source="octoprint.log" AND "plugin/spoolmanager" AND NOT "authenticated"🔗 References
- https://github.com/WildRikku/OctoPrint-SpoolManager/commit/b725e113316e177ce81238a2dbbbdb63d92c40b0
- https://github.com/WildRikku/OctoPrint-SpoolManager/releases/tag/1.7.8
- https://github.com/WildRikku/OctoPrint-SpoolManager/releases/tag/1.8.0a3
- https://github.com/WildRikku/OctoPrint-SpoolManager/security/advisories/GHSA-2rrc-f24f-94f6
