OrcaSlicer Patches a Flaw That Let Malicious 3MF Files Overwrite Your Data
OrcaSlicer version 2.3.2 landed this week, with a hefty list of improvements and fixes including, critically, a fix to a safety vulnerability related to 3MF files, plus a wide set of quality-of-life improvements for Linux users of the software.
We covered the previous stable release in October 2025 and, like its predecessor, this update also fixes a few bugs and adds new features. The most headline-grabbing aspect is the addressing of a security vulnerability with 3MF file imports, which hadn’t been disclosed before.
The information provided in the GitHub release notes refers to a fix that prevents the opening of .3mf files – increasingly the go-to for complex multi-plate or multicolor projects – from writing files to arbitrary locations on your system, which could then, potentially, execute malicious code.
3MF files are, essentially, a kind of ZIP folder. You don’t ever interact with them as you would a regular ZIP, because your slicer handles the unpacking tidily in the background. This type of vulnerability, colloquially known as a “zip-slip“, benefits from that. SoftFever, lead maintainer of OrcaSlicer, told us: “In plain terms: a malicious actor could craft a specially made .3mf file that, when opened in Orca Slicer, would silently write attacker-controlled files to arbitrary locations on the user’s disk – outside of where OrcaSlicer is supposed to touch…” They continue, “just opening a “project file” from an untrusted source could compromise your machine.”
Such files could, theoretically, be uploaded to model repositories, appear and function as regular printable files, and exploit your system when you download and use them. We’re not aware of any reported uses of this exploit happening in the wild.
“The issue was responsibly reported to us by user ‘Zekun Shen’, who deserves a lot of credit – he provided a thorough analysis, a working proof-of-concept, and even detailed steps on how such a malicious .3mf could be crafted.” SoftFever continues. “That made it much easier for us to understand the full scope and patch it quickly.”
Orca Slicer being a fork of Bambu Studio, itself derived from PrusaSlicer, begs the obvious question of whether this vulnerability exists upstream in those slicers, too. SoftFever tells us the issue was inherited from the initial forking of Bambu Studio.
A Bambu Lab representative told us that “Bambu Studio does not contain this vulnerability”. We’ve yet to hear from Prusa whether the any such issue exists in their slicer, too. It logically follows that downstream slicers forked from versions of Orca before V2.3.2 will need to fold this fix into their codebases too, if they haven’t already.
What’s New in Orca Slicer
Linux users have arguably the most to gain from this release. V2.3.2 addresses a string of platform-specific issues affecting Linux desktop users: black screen rendering bugs, a duplicate title bar error in some window managers, and incomplete Wayland support have all been tackled.
Perhaps most critically for power users, the command line interface (CLI) – used by print-farm operators and those running automated slicing workflows – is fixed now.
In addition to patching the 3MF vulnerability and showing Linux users a little love, this new release of Orca Slicer adds a couple of new features to further customize and improve user experience.
For single-extruder multi-material setups that make use of a wipe tower to ensure quality prints, a second type of wipe tower has been added. Before, your printer model would determine which was used, but now you have a choice. “Type 1” is still the default for Bambu Lab and Qidi Tech printers, but the developers recommend everyone else with MMU-type, filament-cutting and toolchanging 3D printers to use the “Type 2” tower.
Additional changes include UX and UI tweaks, plus a spread of new printer and material profiles. For a detailed breakdown of everything in OrcaSlicer v2.3.2, check out the release notes on GitHub. Alternatively, head to the official website. (Watch out for fakes – there are a lot of them. Only orcaslicer.com is the real deal.)
Stay Informed, Save Big, Make More
Get our bi-weekly newsletter for the latest 3D printing news, deals, and guides.
We do not share your information! You can unsubscribe at any time.
By subscribing you agree to our Privacy Policy.
Read more recent news:
- Alveo3D Expands into Shop Fume Extraction with FE150 & FE350
- Anycubic's Spring Sale Drops the Multicolor-Printing Kobra X to $279
- Prusa's MMU3 Gets a Farewell Firmware Boost, Shifts to DIY Path for Core One L
Tired of Reading? Try Listening
License: The text of "OrcaSlicer Patches a Flaw That Let Malicious 3MF Files Overwrite Your Data" by All3DP is licensed under a Creative Commons Attribution 4.0 International License.