一、 漏洞 CVE-2025-58180 基础信息
漏洞信息
                                        # OctoPrint 文件上传RCE漏洞

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
来源:美国国家漏洞数据库 NVD
漏洞描述信息
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact. The vulnerability is patched in version 1.11.3. As a workaround, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders should disable those by setting their `enabled` property to `False` or unchecking the "Enabled" checkbox in the GUI based Event Manager. Alternatively, OctoPrint administrators should set `feature.enforceReallyUniversalFilenames` to `true` in `config.yaml` and restart OctoPrint, then vet the existing uploads and make sure to delete any suspicious looking files. As always, OctoPrint administrators are advised to not expose OctoPrint on hostile networks like the public internet, and to vet who has access to their instance.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
来源:美国国家漏洞数据库 NVD
漏洞标题
OctoPrint 操作系统命令注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
OctoPrint是OctoPrint开源的一个应用程序。提供了一个快速的Web界面,用于控制消费类3D打印机。 OctoPrint 1.11.2及之前版本存在操作系统命令注入漏洞,该漏洞源于文件名处理不当,可能导致任意命令执行。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-58180 的公开POC
# POC 描述 源链接 神龙链接
1 In OctoPrint version <=1.11.2, an attacker with file upload access (e.g., valid API key or session) can craft a malicious filename that bypasses sanitization and is later executed by OctoPrint’s event system, leading to remote code execution (RCE) on the host https://github.com/prabhatverma47/CVE-2025-58180 POC详情
三、漏洞 CVE-2025-58180 的情报信息

  • 标题: Release 1.11.3 · OctoPrint/OctoPrint · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    Release 1.11.3 · OctoPrint/OctoPrint · GitHub

  • 标题: RCE in OctoPrint via Unsanitized Filename in File Upload · Advisory · OctoPrint/OctoPrint · GitHub -- 🔗来源链接

    标签: x_refsource_CONFIRM

    神龙速读
    RCE in OctoPrint via Unsanitized Filename in File Upload · Advisory · OctoPrint/OctoPrint · GitHub

  • 标题: fix: escape parameters in system event handlers · OctoPrint/OctoPrint@be4201e · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    fix: escape parameters in system event handlers · OctoPrint/OctoPrint@be4201e · GitHub

  • 标题: fix: strip some more characters from sanitized file names · OctoPrint/OctoPrint@c3a9409 · GitHub -- 🔗来源链接

    标签: x_refsource_MISC

    神龙速读
    fix: strip some more characters from sanitized file names · OctoPrint/OctoPrint@c3a9409 · GitHub
  • https://nvd.nist.gov/vuln/detail/CVE-2025-58180
四、漏洞 CVE-2025-58180 的评论

暂无评论

发表评论