CVE-2025-48879: 
Python vulnerability analysis and mitigation

CVE-2025-48879 affects OctoPrint versions up to and including 1.11.1, discovered on June 10, 2025. The vulnerability allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint, causing the web server component to become unresponsive (GitHub Advisory).

The vulnerability exists in the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. When processing multipart/form-data requests lacking an end boundary, the handler enters an endless busy loop while searching for non-existent request parts. Due to Tornado's single-threaded nature, this blocks the entire web server. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate) with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating adjacent network attack vector, low complexity, no privileges required, and high impact on availability (GitHub Advisory).

The vulnerability can be exploited to conduct a denial of service attack on the OctoPrint server, making the web server component completely unresponsive. Since Tornado is single-threaded, the endless loop effectively blocks all web server functionality (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.11.2, which adds detection of invalid requests and handles them gracefully with an HTTP 400 Bad Request response. As a workaround, administrators are advised not to expose OctoPrint to hostile networks like the internet, regardless of whether this vulnerability is patched (GitHub Advisory).

The vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi (GitHub Advisory).