{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48879", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-27T20:14:34.296Z", "datePublished": "2025-06-10T15:23:54.150Z", "dateUpdated": "2025-06-10T15:57:42.371Z"}, "containers": {"cna": {"title": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request", "problemTypes": [{"descriptions": [{"cweId": "CWE-140", "lang": "en", "description": "CWE-140: Improper Neutralization of Delimiters", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"}, {"name": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"}], "affected": [{"vendor": "OctoPrint", "product": "OctoPrint", "versions": [{"version": "< 1.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-10T15:23:54.150Z"}, "descriptions": [{"lang": "en", "value": "OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2."}], "source": {"advisory": "GHSA-9wj4-8h85-pgrw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T15:57:28.162115Z", "id": "CVE-2025-48879", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T15:57:42.371Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-10T15:57:28.162115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T15:57:31.768Z"}}], "cna": {"title": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request", "source": {"advisory": "GHSA-9wj4-8h85-pgrw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OctoPrint", "product": "OctoPrint", "versions": [{"status": "affected", "version": "< 1.11.2"}]}], "references": [{"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw", "name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec", "name": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-140", "description": "CWE-140: Improper Neutralization of Delimiters"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-10T15:23:54.150Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48879", "state": "PUBLISHED", "dateUpdated": "2025-06-10T15:57:42.371Z", "dateReserved": "2025-05-27T20:14:34.296Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-10T15:23:54.150Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1806AF8-8DCF-4F51-A6F2-8B6B72CC5563", "versionEndExcluding": "1.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2."}, {"lang": "es", "value": "Las versiones de OctoPrint hasta la 1.11.1 inclusive contienen una vulnerabilidad que permite a cualquier atacante no autenticado enviar una solicitud multipart/form-data manipulada y rota a OctoPrint, provocando as\u00ed que el componente del servidor web deje de responder. El problema puede desencadenarse por una solicitud multipart/form-data rota que no tenga un l\u00edmite final en ninguno de los endpoints de OctoPrint implementados mediante el controlador de solicitudes octoprint.server.util.tornado.UploadStorageFallbackHandler. El controlador de solicitudes se atascar\u00e1 en un bucle de actividad interminable, buscando una parte de la solicitud que nunca llegar\u00e1. Dado que Tornado es de un solo subproceso, esto bloquear\u00e1 efectivamente todo el servidor web. La vulnerabilidad se ha corregido en la versi\u00f3n 1.11.2."}], "id": "CVE-2025-48879", "lastModified": "2025-08-12T13:32:55.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-10T16:15:41.513", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-140"}, {"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-24T09:51:41.954159+00:00", "updated": "2025-06-24T09:51:41.954208+00:00", "vendors": ["octoprint", "octoprint$PRODUCT$octoprint"]}