N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64187

GHSA ID

GHSA-crvm-xjhm-9h29

EPSS Score

CWE

CWE-79

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64187

CVE-2025-64187: OctoPrint vulnerable to XSS in Action Commands Notification and Prompt

Impact

OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.

An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

Patches

The vulnerability will be patched in version 1.11.4.

Workaround

OctoPrint administrators can mitigate the risk by disabling popups:

for Action Command notifications, uncheck OctoPrint Settings -> Printer Notifications -> Enable popups
for Action Command prompts, set OctoPrint Settings -> Printer Dialogs -> Enable support -> Never

It is also strongly recommended to ensure that files being printed originate from trusted sources, and, whenever possible, are sliced with your own slicer.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64187

CVE-2025-64187:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64187

GHSA ID

GHSA-crvm-xjhm-9h29

EPSS Score

CWE

CWE-79

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
octoprint	pip	<= 1.11.3	1.11.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability is a Cross-Site Scripting (XSS) issue found in two OctoPrint plugins: 'action_command_notification' and 'action_command_prompt'. Both plugins are designed to display messages from the printer in the OctoPrint web interface. The root cause of the vulnerability is the failure to properly sanitize user-controllable input that is rendered in a web context. Specifically, messages and prompts originating from the printer (which can be controlled by a malicious G-code file) are displayed to the user without escaping HTML-sensitive characters.

The provided patch addresses this by applying the _.escape() function to the incoming data (data.message, text, and buttons) before it is rendered. This ensures that any HTML or script tags are treated as literal text and not interpreted by the browser, thus mitigating the XSS risk. The vulnerable functions are the anonymous callbacks that handle the printer messages, as they are the ones that process the untrusted data and pass it to the UI rendering components.

Vulnerable functions

(anonymous function)

src/octoprint/plugins/action_command_notification/static/js/action_command_notification.js

This anonymous callback function is responsible for handling 'action:notification' messages from the printer. It constructs a notification popup using the 'data.message' field from the received message. The vulnerability lies in the fact that 'data.message' is directly used as the text of the notification without any sanitization or escaping. This allows an attacker to inject arbitrary HTML and JavaScript by sending a crafted 'action:notification' message from the printer, leading to a Cross-Site Scripting (XSS) vulnerability.

(anonymous function)

src/octoprint/plugins/action_command_prompt/static/js/action_command_prompt.js

This anonymous callback function handles 'action:prompt' messages from the printer. It creates a prompt dialog where the message and button labels are derived from the 'text' and 'buttons' fields of the received message. The vulnerability is that these fields are used to build the dialog without being escaped first. This allows an attacker to inject arbitrary HTML and JavaScript into the prompt by sending a crafted 'action:prompt' message from the printer, resulting in a Cross-Site Scripting (XSS) vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64187: OctoPrint vulnerable to XSS in Action Commands Notification and Prompt

Impact

Patches

Workaround

Credits

CVE-2025-64187:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-64187: OctoPrint vulnerable to XSS in Action Commands Notification and Prompt

Impact

Patches

Workaround

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI