octoprint 1.4.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the octoprint package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the Action Command Notification plugin and the Action Command Prompt plugin. An attacker can execute arbitrary scripts in the context of the user's browser by convincing a victim to print a specially crafted file. This can lead to disruption of ongoing prints, extraction of sensitive information, or execution of actions on behalf of the user within the application. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.11.4 or higher.	[,1.11.4)
H Command Injection OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Command Injection due to upload file when a specially crafted filename is included in a command defined in a system event handler and the corresponding event is triggered. An attacker can execute arbitrary system commands by uploading a file with a malicious filename if event handlers are configured to use uploaded filenames as command parameters. Note: This is only exploitable if event handlers are configured to execute system commands with uploaded filenames as parameters. How to fix Command Injection? Upgrade `OctoPrint` to version 1.11.3 or higher.	[,1.11.3)
H Improper Neutralization OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Improper Neutralization through the `UploadStorageFallbackHandler` request handler. An attacker can make the web server component become unresponsive by sending a manipulated broken multipart/form-data request lacking an end boundary. How to fix Improper Neutralization? Upgrade `OctoPrint` to version 1.11.2 or higher.	[,1.11.2)
M External Control of File Name or Path OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to External Control of File Name or Path via the upload endpoints. An attacker with the `FILE_UPLOAD` permission can move files from the host into the upload folder, from where they can be subsequently downloaded. How to fix External Control of File Name or Path? Upgrade `OctoPrint` to version 1.11.2 or higher.	[,1.11.2)
M User Impersonation OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to User Impersonation via the `X-Preemptive-Recording` HTTP header. An attacker could bypass the login redirect and directly access the HTML of certain frontend pages by adding the HTTP header `X-Preemptive-Recording: yes` to HTTP requests. Notes: The impact on data exposure is minimal because, typically, data is loaded via API requests that correctly enforce user authentication. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on vulnerable internal functions for authentication checks, leading to security vulnerabilities. The vulnerability affects the functions `require_login`, `require_login_with`, and `require_fresh_login_with` in `octoprint/server/util/init.py` file. How to fix User Impersonation? Upgrade `OctoPrint` to version 1.11.0 or higher.	[,1.11.0)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Jinja2 template system. An attacker can retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the instance maliciously. Note: The attacker has to redirect a victim to a specially crafted link or persuade the victim to click through a malicious third-party app How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.10.3 or higher.	[,1.10.3)
M Unverified Password Change OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Unverified Password Change due to improper authentication in the settings interface. An attacker can gain unauthorized access to API keys and potentially disrupt system operations by exploiting the lack of reauthentication requirements. How to fix Unverified Password Change? Upgrade `OctoPrint` to version 1.10.3 or higher.	[,1.10.3)
H Authentication Bypass by Spoofing OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to the `autologinLocal` configuration option. An attacker can bypass authentication controls by spoofing their IP address using the `X-Forwarded-For` header. Note: If autologin is not enabled, this vulnerability does not have any impact. How to fix Authentication Bypass by Spoofing? Upgrade `OctoPrint` to version 1.10.1 or higher.	[,1.10.1)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the misconfiguration of a webcam snapshot URL which, when tested through the "Test" button in the web interface, will execute JavaScript code in the victim's browser during the attempt to render the snapshot image. An attacker who successfully convinces a victim with admin rights to perform a snapshot test with a maliciously crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the instance in a malicious manner. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.10.0rc3 or higher.	[,1.10.0rc3)
M Cross-site Request Forgery (CSRF) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An admin user could be deceived into visiting a malicious website, which could then install harmful plugins on the OctoPrint server using the admin's login credentials. How to fix Cross-site Request Forgery (CSRF)? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
M Unverified Password Change OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Unverified Password Change via the access control settings. An attacker can change the password of other admin accounts without having to verify their current password by exploiting this vulnerability. This is only exploitable if the attacker has already hijacked an admin account. How to fix Unverified Password Change? Upgrade `OctoPrint` to version 1.10.0rc1 or higher.	[,1.10.0rc1)
M Open Redirect OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Open Redirect due to the inadequate checking of the redirect get variable on the login page. This vulnerability could allow an attacker to mislead a user to a harmful domain. Note: The method used `urllib` to confirm if the url.scheme and `url.netloc` are vacant, but this approach does not cover all existing URLs. How to fix Open Redirect? Upgrade `OctoPrint` to version 1.8.2 or higher.	[,1.8.2)
M Improper Neutralization of Special Elements Used in a Template Engine OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine when the `GCODE script` is configured maliciously. An attacker can execute arbitrary commands with the rights of the process on the server system and manipulate or extract data by crafting a special script. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade `OctoPrint` to version 1.9.3 or higher.	[,1.9.3)
M Special Element Injection OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Special Element Injection by allowing an attacker to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and by downloading the stolen files within a backup archive. How to fix Special Element Injection? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
M Privilege Escalation OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Privilege Escalation which makes it possible for a low privileges user (Read-only Access user) to edit and take an action in plugin management section. How to fix Privilege Escalation? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
M Insufficient Session Expiration OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Insufficient Session Expiration which allows attackers to steal session cookies and use it to authenticate as long as the victim's account exists. How to fix Insufficient Session Expiration? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
L Arbitrary File Upload OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Arbitrary File Upload due to improper file type validation in the `move_file` and `copy_file` functions. How to fix Arbitrary File Upload? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
M Unverified Password Change OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Unverified Password Change. An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password. How to fix Unverified Password Change? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
L Improper Restriction of Excessive Authentication Attempts OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts due to the ability of an attacker to brute force usernames and passwords freely, without any rate limiting. How to fix Improper Restriction of Excessive Authentication Attempts? Upgrade `OctoPrint` to version 1.8.3 or higher.	[,1.8.3)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the user/group delete confirmation message, when the user/group name is the payload, due to missing sanitization. Note: In version 1.8.0, this exploit cannot be used to get credentials, due to cookies being set to `HttpOnly`. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.8.1 or higher.	[0,1.8.1)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the webcam stream URL test. An attacker could talk an instance administrator into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations). How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.8.0 or higher.	[,1.8.0)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to Chrome creating URL objects from HTML tags, which are embeded in the webpage unencoded. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.8.0 or higher.	[,1.8.0)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the webcam stream URL test. An attacker could talk an administrator instance into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.8.0 or higher.	[,1.8.0)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the login dialog. An attacker could send a login URL with a specially crafted redirect parameter to an admin instance that once is used to login it would allow the attacker to steal the "remember me" cookie. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.8.0 or higher.	[,1.8.0)
M Cross-site Scripting (XSS) OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Cross-site Scripting (XSS). This is due to API error messages including the values of input parameters. How to fix Cross-site Scripting (XSS)? Upgrade `OctoPrint` to version 1.6.0 or higher.	[,1.6.0)
L Improper Access Control OctoPrint is a snappy web interface for your 3D printer Affected versions of this package are vulnerable to Improper Access Control. The `Logging` subsystem attempts to manage files that are not `*.log` files which can lead to a local file read. How to fix Improper Access Control? Upgrade `OctoPrint` to version 1.6.0 or higher.	[,1.6.0)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the Action Command Notification plugin and the Action Command Prompt plugin. An attacker can execute arbitrary scripts in the context of the user's browser by convincing a victim to print a specially crafted file. This can lead to disruption of ongoing prints, extraction of sensitive information, or execution of actions on behalf of the user within the application.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.11.4 or higher.

[,1.11.4)

Command Injection

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Command Injection due to upload file when a specially crafted filename is included in a command defined in a system event handler and the corresponding event is triggered. An attacker can execute arbitrary system commands by uploading a file with a malicious filename if event handlers are configured to use uploaded filenames as command parameters.

Note: This is only exploitable if event handlers are configured to execute system commands with uploaded filenames as parameters.

How to fix Command Injection?

Upgrade OctoPrint to version 1.11.3 or higher.

[,1.11.3)

Improper Neutralization

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Neutralization through the UploadStorageFallbackHandler request handler. An attacker can make the web server component become unresponsive by sending a manipulated broken multipart/form-data request lacking an end boundary.

How to fix Improper Neutralization?

Upgrade OctoPrint to version 1.11.2 or higher.

[,1.11.2)

External Control of File Name or Path

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to External Control of File Name or Path via the upload endpoints. An attacker with the FILE_UPLOAD permission can move files from the host into the upload folder, from where they can be subsequently downloaded.

How to fix External Control of File Name or Path?

Upgrade OctoPrint to version 1.11.2 or higher.

[,1.11.2)

User Impersonation

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to User Impersonation via the X-Preemptive-Recording HTTP header. An attacker could bypass the login redirect and directly access the HTML of certain frontend pages by adding the HTTP header X-Preemptive-Recording: yes to HTTP requests.

Notes:

The impact on data exposure is minimal because, typically, data is loaded via API requests that correctly enforce user authentication. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on vulnerable internal functions for authentication checks, leading to security vulnerabilities.
The vulnerability affects the functions require_login, require_login_with, and require_fresh_login_with in octoprint/server/util/init.py file.

How to fix User Impersonation?

Upgrade OctoPrint to version 1.11.0 or higher.

[,1.11.0)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Jinja2 template system. An attacker can retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the instance maliciously.

Note: The attacker has to redirect a victim to a specially crafted link or persuade the victim to click through a malicious third-party app

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.10.3 or higher.

[,1.10.3)

Unverified Password Change

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change due to improper authentication in the settings interface. An attacker can gain unauthorized access to API keys and potentially disrupt system operations by exploiting the lack of reauthentication requirements.

How to fix Unverified Password Change?

Upgrade OctoPrint to version 1.10.3 or higher.

[,1.10.3)

Authentication Bypass by Spoofing

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to the autologinLocal configuration option. An attacker can bypass authentication controls by spoofing their IP address using the X-Forwarded-For header.

Note: If autologin is not enabled, this vulnerability does not have any impact.

How to fix Authentication Bypass by Spoofing?

Upgrade OctoPrint to version 1.10.1 or higher.

[,1.10.1)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the misconfiguration of a webcam snapshot URL which, when tested through the "Test" button in the web interface, will execute JavaScript code in the victim's browser during the attempt to render the snapshot image.

An attacker who successfully convinces a victim with admin rights to perform a snapshot test with a maliciously crafted URL could use this to retrieve or modify sensitive configuration settings, interrupt prints, or otherwise interact with the instance in a malicious manner.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.10.0rc3 or higher.

[,1.10.0rc3)

Cross-site Request Forgery (CSRF)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An admin user could be deceived into visiting a malicious website, which could then install harmful plugins on the OctoPrint server using the admin's login credentials.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Unverified Password Change

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change via the access control settings. An attacker can change the password of other admin accounts without having to verify their current password by exploiting this vulnerability. This is only exploitable if the attacker has already hijacked an admin account.

How to fix Unverified Password Change?

Upgrade OctoPrint to version 1.10.0rc1 or higher.

[,1.10.0rc1)

Open Redirect

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Open Redirect due to the inadequate checking of the redirect get variable on the login page. This vulnerability could allow an attacker to mislead a user to a harmful domain.

Note: The method used urllib to confirm if the url.scheme and url.netloc are vacant, but this approach does not cover all existing URLs.

How to fix Open Redirect?

Upgrade OctoPrint to version 1.8.2 or higher.

[,1.8.2)

Improper Neutralization of Special Elements Used in a Template Engine

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine when the GCODE script is configured maliciously. An attacker can execute arbitrary commands with the rights of the process on the server system and manipulate or extract data by crafting a special script.

How to fix Improper Neutralization of Special Elements Used in a Template Engine?

Upgrade OctoPrint to version 1.9.3 or higher.

[,1.9.3)

Special Element Injection

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Special Element Injection by allowing an attacker to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and by downloading the stolen files within a backup archive.

How to fix Special Element Injection?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Privilege Escalation

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Privilege Escalation which makes it possible for a low privileges user (Read-only Access user) to edit and take an action in plugin management section.

How to fix Privilege Escalation?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Insufficient Session Expiration

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Insufficient Session Expiration which allows attackers to steal session cookies and use it to authenticate as long as the victim's account exists.

How to fix Insufficient Session Expiration?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Arbitrary File Upload

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Arbitrary File Upload due to improper file type validation in the move_file and copy_file functions.

How to fix Arbitrary File Upload?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Unverified Password Change

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change. An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password.

How to fix Unverified Password Change?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Improper Restriction of Excessive Authentication Attempts

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Restriction of Excessive Authentication Attempts due to the ability of an attacker to brute force usernames and passwords freely, without any rate limiting.

How to fix Improper Restriction of Excessive Authentication Attempts?

Upgrade OctoPrint to version 1.8.3 or higher.

[,1.8.3)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the user/group delete confirmation message, when the user/group name is the payload, due to missing sanitization.

Note: In version 1.8.0, this exploit cannot be used to get credentials, due to cookies being set to HttpOnly.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.8.1 or higher.

[0,1.8.1)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the webcam stream URL test. An attacker could talk an instance administrator into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token. This could have then been used to gain access to the OctoPrint instance if somehow reachable by the attacker (e.g. if you have exposed your OctoPrint instance on the public internet or another hostile network contrary to the project's recommendations).

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.8.0 or higher.

[,1.8.0)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to Chrome creating URL objects from HTML tags, which are embeded in the webpage unencoded.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.8.0 or higher.

[,1.8.0)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the webcam stream URL test. An attacker could talk an administrator instance into inserting a specially crafted HTML/JS snippet into the webcam settings and then ask them to click "test", making the JS code run and potentially steal the remember me token.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.8.0 or higher.

[,1.8.0)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the login dialog. An attacker could send a login URL with a specially crafted redirect parameter to an admin instance that once is used to login it would allow the attacker to steal the "remember me" cookie.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.8.0 or higher.

[,1.8.0)

Cross-site Scripting (XSS)

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). This is due to API error messages including the values of input parameters.

How to fix Cross-site Scripting (XSS)?

Upgrade OctoPrint to version 1.6.0 or higher.

[,1.6.0)

Improper Access Control

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Improper Access Control. The Logging subsystem attempts to manage files that are not *.log files which can lead to a local file read.

How to fix Improper Access Control?

Upgrade OctoPrint to version 1.6.0 or higher.

[,1.6.0)

octoprint@1.4.2 vulnerabilities

The snappy web interface for your 3D printer

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically