cbcvebase.
CVE-2025-58180
published 2025-09-09

CVE-2025-58180: OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.31%
97.0th percentile
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact. The vulnerability is patched in version 1.11.3. As a workaround, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders should disable those by setting their `enabled` property to `False` or unchecking the "Enabled" checkbox in the GUI based Event Manager. Alternatively, OctoPrint administrators should set `feature.enforceReallyUniversalFilenames` to `true` in `config.yaml` and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files. As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.

Affected

2 ranges
VendorProductVersion rangeFixed in
octoprintoctoprint< 1.11.31.11.3
octoprintoctoprint>= 0 < 1.11.31.11.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/files/local
commandocto;touch${IFS}/tmp/test123;#.gcode
port5000
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Octoprint File Upload File Name Command Injection Attempt (CVE-2025-58180)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/api/files/local"; fast_pattern; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/52476; reference:cve,2025-58180; classtype:attempted-admin; sid:2067295; rev:1;)
  • Detect POST requests to /api/files/local where the multipart filename field contains shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • Monitor for the X-Api-Key header on POST requests to /api/files/local — exploitation requires only authenticated upload privileges (no admin required), so any API key holder is a potential attacker.
  • ·Exploitation is only possible if OctoPrint has at least one event handler configured that executes a system command AND uses a filename-based placeholder. Instances with no such handlers are not impacted.
  • ·The Snort/Suricata rule (sid:2067295) is scoped to plaintext HTTP (tls_state plaintext) only; TLS-wrapped OctoPrint deployments will not be detected by this rule without SSL inspection.
  • ·Setting feature.enforceReallyUniversalFilenames to true in config.yaml (and restarting OctoPrint) is a viable workaround that blocks the malicious filename from being accepted, but requires a service restart to take effect.
  • ·Disabling affected event handlers (setting enabled: false or unchecking 'Enabled' in the GUI Event Manager) is a workaround but does not fix the underlying sanitization flaw — patching to 1.11.3 is the definitive fix.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.5HIGHCVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.