CVE-2025-48067: 
Python vulnerability analysis and mitigation

OctoPrint, a web interface for controlling consumer 3D printers, has been identified with a vulnerability tracked as CVE-2025-48067. The vulnerability affects versions up to and including 1.11.1, and was discovered by Jacopo Tediosi. The issue was disclosed and patched in version 1.11.2, with the official advisory published on June 10, 2025 (GitHub Advisory).

The vulnerability allows attackers with FILEUPLOAD permission to exfiltrate files from the host system that OctoPrint has read access to. The exploit works through specially crafted HTTP requests to affected upload endpoints, including '/api/files/{local|sdcard}', '/api/languages', '/plugin/backup/restore', and '/plugin/pluginmanager/uploadfile'. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Moderate), with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L (GitHub Advisory).

The primary impact of this vulnerability includes potential exfiltration of secrets stored in OctoPrint's configuration and system files. Additionally, the vulnerability could be exploited to affect host availability by removing important runtime files. However, the impact is somewhat limited as it requires an attacker to have an account with file upload permissions (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.11.2. The fix removes any internal-only form inputs from incoming requests in the central file upload processor component. Users are advised to upgrade to version 1.11.2 or later to protect against this vulnerability (GitHub Advisory).