CVE-2025-48067: 
Python vulnerability analysis and mitigation

OctoPrint, a web interface for controlling consumer 3D printers, was found to contain a vulnerability (CVE-2025-48067) in versions up to and including 1.11.1. The vulnerability was discovered by Jacopo Tediosi and disclosed on June 10, 2025. The issue allows attackers with FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to by moving them into the upload folder where they can be downloaded (GitHub Advisory).

The vulnerability involves specially crafted HTTP requests to affected upload endpoints that contain form inputs intended only for internal use. The affected endpoints include '/api/files/{local|sdcard}', '/api/languages', '/plugin/backup/restore', and '/plugin/pluginmanager/upload_file'. Third-party plugin upload endpoints may also be affected. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L, indicating adjacent network attack vector, low attack complexity, and low privileges required (GitHub Advisory).

The primary impact of this vulnerability is the potential exfiltration of secrets stored inside OctoPrint's configuration files and other system files that OctoPrint has read access to. Additionally, attackers could impact host availability by removing important runtime files. However, the impact is somewhat limited as it requires an attacker to have an account with file upload permissions (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.11.2. The fix removes any internal-only form inputs from incoming requests in the central file upload processor component. Users are advised to upgrade to version 1.11.2 or later to protect against this vulnerability (GitHub Advisory).