CVE-2025-48879

OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 16:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-48879

Mitre link : CVE-2025-48879

CVE.ORG link : CVE-2025-48879

JSON object : View

Products Affected

No product.

CWE

CWE-140

Improper Neutralization of Delimiters

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2025-48879", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-06-10T16:15:41.513", "references": [{"url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec", "source": "security-advisories@github.com"}, {"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-140"}, {"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2."}, {"lang": "es", "value": "Las versiones de OctoPrint hasta la 1.11.1 inclusive contienen una vulnerabilidad que permite a cualquier atacante no autenticado enviar una solicitud multipart/form-data manipulada y rota a OctoPrint, provocando as\u00ed que el componente del servidor web deje de responder. El problema puede desencadenarse por una solicitud multipart/form-data rota que no tenga un l\u00edmite final en ninguno de los endpoints de OctoPrint implementados mediante el controlador de solicitudes octoprint.server.util.tornado.UploadStorageFallbackHandler. El controlador de solicitudes se atascar\u00e1 en un bucle de actividad interminable, buscando una parte de la solicitud que nunca llegar\u00e1. Dado que Tornado es de un solo subproceso, esto bloquear\u00e1 efectivamente todo el servidor web. La vulnerabilidad se ha corregido en la versi\u00f3n 1.11.2."}], "lastModified": "2025-06-12T16:06:39.330", "sourceIdentifier": "security-advisories@github.com"}