CVE-2025-58180: 
Python vulnerability analysis and mitigation

CVE-2025-58180 affects OctoPrint, a web interface for controlling consumer 3D printers, in versions up to and including 1.11.2. The vulnerability allows an authenticated attacker to upload a file with a specially crafted filename that enables arbitrary command execution when the filename is included in a system event handler command and the event is triggered (GitHub Advisory). The vulnerability was discovered and disclosed by @prabhatverma47, and has been patched in version 1.11.3 (OctoPrint Release).

The vulnerability is classified as a High severity issue with a CVSS v4.0 base score of 7.5. It is categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), where the application fails to properly sanitize special elements in filenames that could modify intended OS commands. The attack requires adjacent network access, low attack complexity, and low privileges, with no user interaction needed. The vulnerability can result in high impacts to confidentiality, integrity, and availability of the vulnerable system (GitHub Advisory).

When successfully exploited, this vulnerability allows arbitrary command execution on the system running OctoPrint. However, the impact is limited to instances where event handlers executing system commands with uploaded filenames as parameters have been configured. The vulnerability requires authentication and adjacent network access, which somewhat limits its potential scope (GitHub Advisory).

Several mitigation options are available: 1) Upgrade to OctoPrint version 1.11.3 which patches the vulnerability. 2) Disable event handlers that include filename-based placeholders by setting their 'enabled' property to False or unchecking the 'Enabled' checkbox in the GUI-based Event Manager. 3) Set feature.enforceReallyUniversalFilenames to true in config.yaml and restart OctoPrint, then remove any suspicious files. Additionally, administrators are advised not to expose OctoPrint on hostile networks like the public internet and to carefully vet instance access (GitHub Advisory).