CVE-2025-48879

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.11.1

Description The issue allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint, making the web server component become unresponsive. This can be triggered by a broken request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come, effectively blocking the whole web server due to Tornado being single-threaded.

Recommendations For versions up to and including 1.11.1, update to version 1.11.2 to resolve the issue. As a temporary workaround, consider restricting access to endpoints that use the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler until the update can be applied.