Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-48879

Good to know:

icon
icon

Date: June 10, 2025

OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2.

Severity Score

Related Resources (5)

https://github.com/OctoPrint/OctoPrint
https://nvd.nist.gov/vuln/detail/CVE-2025-48879
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw
https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec
https://www.mend.io/vulnerability-database/CVE-2025-48879

Severity Score

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Improper Neutralization of Delimiters

CWE-140

Top Fix

icon

Upgrade Version

Upgrade to version octoprint - 1.11.2;OctoPrint - 1.11.2;https://github.com/OctoPrint/OctoPrint.git - 1.11.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us