VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 19, 2022· Updated May 9, 2025

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in octoprint/octoprint

CVE-2022-3607

Description

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OctoPrint prior to 1.8.3 allowed path traversal via specially crafted language packs, enabling arbitrary file write.

Vulnerability

Overview

CVE-2022-3607 is a special element injection vulnerability in OctoPrint, the popular 3D printer web interface. The flaw resides in the language pack handling mechanism, where uploaded ZIP or tar archives were not properly sanitized for path traversal sequences. Prior to version 1.8.3, the validation only checked archive member names against simple patterns like starting with '/' or containing '..', but failed to resolve paths relative to the extraction target directory [1][4]. This allowed an attacker to craft an archive with entries that escape the intended language pack folder.

Exploitation

To exploit this vulnerability, an attacker must have the ability to upload a language pack—typically an authenticated user with plugin or system administration privileges. By providing a malicious archive containing file paths such as ../../etc/octoprint/config.yaml or absolute paths like /tmp/malicious, the attacker could write files to arbitrary locations on the server's filesystem [4]. The fix introduced in commit 3cca3a4 adds proper path resolution using os.path.abspath and os.path.join to ensure all extracted files remain within the target directory, and also validates that tar entries are regular files or directories [4].

Impact

Successful exploitation allows an attacker to write arbitrary files to the OctoPrint server. This could lead to overwriting critical configuration files, injecting malicious code into startup scripts, or placing a web shell, ultimately resulting in remote code execution with the privileges of the OctoPrint process [1][3]. The vulnerability is rated with a CVSS score of 8.8 (High) due to the high impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability was fixed in OctoPrint version 1.8.3, released on 2022-10-19. Users are strongly advised to update to this version or later. No workarounds are documented; the only mitigation is to apply the patch [1][4]. The issue was reported via huntr.dev and is also tracked in the PySec advisory database [3].

References
  1. NVD - CVE-2022-3607
  2. advisory-database/vulns/octoprint/PYSEC-2022-42975.yaml at main · pypa/advisory-database
  3. 🔒️ Close a sanity check hole in language packs · OctoPrint/OctoPrint@3cca3a4

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
OctoPrintPyPI
< 1.8.31.8.3

Affected products

2
  • ghsa-coords
    pkg:pypi/octoprint
    Range: < 1.8.3
  • octoprint/octoprint/octoprintv5
    Range: unspecified

Patches

1
3cca3a43f3d0

🔒️ Close a sanity check hole in language packs

https://github.com/octoprint/octoprintGina HäußgeAug 31, 2022via ghsa
commit
1 file changed · +16 4
  • src/octoprint/server/api/languages.py+16 4 modified
    @@ -174,7 +174,8 @@ def deleteInstalledLanguagePack(locale, pack):
 def _unpack_uploaded_zipfile(path, target):
     with zipfile.ZipFile(path, "r") as zip:
         # sanity check
-        map(_validate_archive_name, zip.namelist())
+        for info in zip.infolist():
+            _validate_zip_info(info, target)
 
         # unpack everything
         zip.extractall(target)
@@ -183,16 +184,27 @@ def _unpack_uploaded_zipfile(path, target):
 def _unpack_uploaded_tarball(path, target):
     with tarfile.open(path, "r") as tar:
         # sanity check
-        map(_validate_archive_name, tar.getmembers())
+        for info in tar.getmembers():
+            _validate_tar_info(info, target)
 
         # unpack everything
         tar.extractall(target)
 
 
-def _validate_archive_name(name):
-    if name.startswith("/") or ".." in name:
+def _validate_archive_name(name, target):
+    if not os.path.abspath(os.path.join(target, name)).startswith(target + os.path.sep):
         raise InvalidLanguagePack(f"Provided language pack contains invalid name {name}")
 
 
+def _validate_zip_info(info, target):
+    _validate_archive_name(info.filename, target)
+
+
+def _validate_tar_info(info, target):
+    _validate_archive_name(info.name, target)
+    if not (info.isfile() or info.isdir()):
+        raise InvalidLanguagePack("Provided language pack contains invalid file type")
+
+
 class InvalidLanguagePack(Exception):
     pass

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.