{"id":"CVE-2025-48879","summary":"OctoPrint Vulnerable to Denial of Service through malformed HTTP request","details":"OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server. The vulnerability has been patched in version 1.11.2.","aliases":["GHSA-9wj4-8h85-pgrw"],"modified":"2026-04-10T05:28:51.537752Z","published":"2025-06-10T15:23:54.150Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48879.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-140","CWE-835"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48879.json"},{"type":"ADVISORY","url":"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48879"},{"type":"FIX","url":"https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/foosel/octoprint","events":[{"introduced":"0"},{"fixed":"96e48c5662274a1941486d3e0853141661fc0455"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.2"}]}}],"versions":["1.1.0-dev","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.2.0","1.2.0-dev","1.2.0-rc1","1.2.0-rc2","1.2.0-rc3","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.16rc1","1.2.16rc2","1.2.17rc1","1.2.17rc2","1.2.17rc3","1.2.18","1.2.18rc1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.4.0rc1","1.4.0rc2","1.4.0rc3","1.4.0rc4","1.4.0rc5","1.4.0rc6","1.5.0","1.5.0rc1","1.5.0rc2","1.5.0rc3","1.5.1","1.5.2","1.5.3","1.6.1","1.7.1","1.7.2","1.7.3","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.9.0","1.9.2","1.9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48879.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/octoprint/octoprint","events":[{"introduced":"0"},{"fixed":"96e48c5662274a1941486d3e0853141661fc0455"}]}],"versions":["1.1.0-dev","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.2.0","1.2.0-dev","1.2.0-rc1","1.2.0-rc2","1.2.0-rc3","1.2.1","1.2.10","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.16rc1","1.2.16rc2","1.2.17rc1","1.2.17rc2","1.2.17rc3","1.2.18","1.2.18rc1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.4.0rc1","1.4.0rc2","1.4.0rc3","1.4.0rc4","1.4.0rc5","1.4.0rc6","1.5.0","1.5.0rc1","1.5.0rc2","1.5.0rc3","1.5.1","1.5.2","1.5.3","1.6.1","1.7.1","1.7.2","1.7.3","1.8.0","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.9.0","1.9.2","1.9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48879.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}