CVE-2025-32788: 
Python vulnerability analysis and mitigation

OctoPrint, a web interface for controlling consumer 3D printers, was found to contain a vulnerability (CVE-2025-32788) in versions up to and including 1.10.3. The vulnerability, discovered and disclosed on April 22, 2025, allows attackers to bypass the login redirect and directly access the rendered HTML of certain frontend pages (GitHub Advisory, NVD).

The vulnerability exists in authentication-related functions defined in octoprint/server/util/init.py, specifically requirelogin, requireloginwith, and requirefreshloginwith. By adding the HTTP header X-Preemptive-Recording: yes to HTTP requests, attackers can bypass the login redirect mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating adjacent network access is required (GitHub Advisory).

While the immediate impact on data exposure is minimal since API requests still enforce proper authentication, the vulnerability does expose the IP addresses of configured reverse proxies through the authenticated variant of the reverse proxy test page. The main concern lies in potential future codebase modifications that might incorrectly rely on the vulnerable internal functions for authentication checks, which could lead to more serious security vulnerabilities (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.11.0. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).