CVE-2025-58180

Name of the Vulnerable Software and Affected Versions: OctoPrint versions prior to 1.11.3

Description: OctoPrint is a web interface for controlling consumer 3D printers. Versions up to and including 1.11.2 are susceptible to a flaw that permits an authenticated attacker to upload a file with a specially crafted filename. This can lead to arbitrary command execution if the filename is included in a command defined within a system event handler and that event is triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this issue has no impact.

Recommendations: OctoPrint versions prior to 1.11.3: Disable event handlers that include filename-based placeholders by setting their enabled property to False or unchecking the "Enabled" checkbox in the GUI based Event Manager. OctoPrint versions prior to 1.11.3: Set feature.enforceReallyUniversalFilenames to true in config.yaml and restart OctoPrint, then vet existing uploads and delete any suspicious files. OctoPrint versions prior to 1.11.3: Avoid exposing OctoPrint on hostile networks and restrict access to authorized users.