N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58180

GHSA ID

GHSA-49mj-x8jp-qvfc

EPSS Score

CWE

CWE-78

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58180

CVE-2025-58180: OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload

Impact

OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered.

If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact.

Patches

The vulnerability will be patched in version 1.11.3.

Workaround

Until the patch has been applied, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders (i.e. {__filename}, {__filepath}, {filename}, {path}, etc -- refer to the events documentation for a full list) should disable those by setting their enabled property to False or unchecking the "Enabled" checkbox in the GUI based Event Manager.

Alternatively, OctoPrint administrators should set feature.enforceReallyUniversalFilenames to true in config.yaml and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files (e.g. those that contain a ; in their name followed by a command).

As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by @prabhatverma47.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58180

GHSA ID

GHSA-49mj-x8jp-qvfc

EPSS Score

CWE

CWE-78

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
octoprint	pip	< 1.11.3	1.11.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows an authenticated attacker to achieve Remote Code Execution (RCE) by uploading a file with a specially crafted filename. The root cause is a combination of two weaknesses.

First, the sanitize_filename function in src/octoprint/util/files.py did not properly sanitize uploaded filenames, allowing characters with special meaning in shell environments (e.g., ;) to be part of the filename stored on the server. This is the entry point of the attack.

Second, when an event handler is configured to execute a system command that includes a filename placeholder, the CommandTrigger class in src/octoprint/events.py was responsible for this execution. The _processCommand method within this class would take the malicious filename and substitute it into a command template without any escaping. The resulting command string, now containing injected commands, was then executed by _executeSystemCommand using subprocess.check_call with shell=True. This shell=True argument makes the execution vulnerable to shell command injection.

The patches address both issues. Commit c3a940962f4658a8e035a00388781b1cbd768841 enhances sanitize_filename to strip dangerous characters. Commit be4201ef58d9a7c03593252398c16eada90a258b refactors the event handling logic to use shlex.quote for escaping parameters before they are used in system commands, which is the primary fix preventing the command injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t O*toPrint v*rsions up until *n* in*lu*in* *.**.* *ont*in * vuln*r**ility t**t *llows *n ***ut**nti**t**** *tt**k*r to uplo** * *il* un**r * sp**i*lly *r**t** *il*n*m* t**t will *llow *r*itr*ry *omm*n* *x**ution i* s*i* *il*n*m* ***om*s in

Reasoning

T** vuln*r**ility *llows *n *ut**nti**t** *tt**k*r to ***i*v* R*mot* *o** *x**ution (R**) *y uplo**in* * *il* wit* * sp**i*lly *r**t** *il*n*m*. T** root **us* is * *om*in*tion o* two w**kn*ss*s. *irst, t** `s*nitiz*_*il*n*m*` *un*tion in `sr*/o*top

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-58180: OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload

Impact

Patches

Workaround

Credits

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI