OrcaSlicer 2.3.2 Patches Security Flaw in 3MF File Handling

A path traversal vulnerability in OrcaSlicer's 3MF import has been closed with the release of version 2.3.2. The flaw allowed a specially crafted .3mf file to write to arbitrary filesystem locations during import, with the potential to enable code execution.

That's not a theoretical edge case. The 3MF format is the everyday currency of this hobby: files downloaded from Printables, MakerWorld, and countless Discord servers arrive as .3mf packages. The fix, credited to contributor SoftFever in pull request #12860, addressed the vulnerability where a crafted .3mf file could write to arbitrary filesystem locations via path traversal during import. In plain terms: opening the wrong file from the wrong source could have handed a bad actor a path onto your machine.

Beyond the security patch, the release adds a configurable wipe tower type setting, delivers extensive Linux and Flatpak improvements, fixes a CLI segfault, and includes UI refinements like dynamic title bar sizing and accordion sidebar tabs.

The new configurable wipe tower type is a printer-level setting that lets you choose the tower type rather than having it determined solely by your printer model. Type 2 is generally recommended for MMU, filament cutter, and tool changer setups.

The multi-material crowd gets additional attention across several other fixes. SoftFever also resolved three regressions in multi-tool extruder tabs: dirty flags not showing for extruder-specific options, a crash when switching to non-first extruder tabs, and parameters on one extruder unintentionally affecting others. A separate crash during G-code export for multi-material prints using WipeTower2, caused by mesh data not being initialized, was also resolved.

Wipe tower positioning got a fix as well: the tower was being placed beyond the bed boundary after printer preset changes. The position is now re-clamped when presets change, and the estimated size includes the brim.

Linux users in particular benefit from a fix to a blank 3D preview caused by an EGL/GLX mismatch when running on Wayland, and a crash when importing 3MF files containing silent-mode machine limits with legacy vector sizes was also resolved. The official Flathub version is expected to follow shortly.

The security fix alone makes 2.3.2 a mandatory update for anyone who regularly imports .3mf files from external sources, which is to say, nearly everyone.