CVE-2025-48067 MEDIUM

CVE-2025-48067: OctoPrint vulnerable to possible file extraction via upload endpoints

Vendor Octoprint
Product OctoPrint
Weakness CWE-73
Published June 10, 2025
Last update June 10, 2025

CVSS base score

5.4/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

What the vulnerability does

01Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. This vulnerability is fixed in 1.11.2.

Key dates

02Disclosure timeline

June 10, 2025 CVE published
June 10, 2025 Record updated