OctoPrint is an open source 3D printer controller application that provides a web interface for connected printers. It displays printer status and key parameters, and supports scheduling print jobs and controlling the printer remotely.
Numen Security Labs vulnerability researchers have discovered in OctoPrint version less than or equal to 1.9.2 that print job execution is configured with a specially crafted GCODE language script that would allow arbitrary code to be executed during the rendering of that script.
Passing the gcode to the
loadScript function of the s object
The s object comes from
Render using the
template object comes from the
The vulnerability is triggered by an insecure rendering of gcode, where no security measures are taken in OctoPrint, leading to this issue.
Version 1.9.3 adds a security sandbox
- 2023–8–31 Report vulnerabilities to the OctoPrint team
- 2023–8–31 Received a response from the OctoPrint team confirming the existence of the vulnerability
- 2023–10–10 Fixing security vulnerabilities and releasing OctoPrint 1.9.3
- 2023–10–10 Public CVE
More than 20,000 exposed OctoPrints were found through fofa, shodan.