Jump to content
Ultimaker Community of 3D Printing Experts

Security Bug: Private information leakage in .curaproject.3mf files

Recommended Posts

I noticed that in the .curaproject.3mf there is a list of recent opened files. This poses a security risk to the creator of the file.

A normal user who gives this project file to a third party, normally would not expect that private data is leaked via the 3D-print-project file. This is a severe thread for commercial applications.

The private data that could possibly leaked, based on the file names of the recently opened files are:


  • internal project names (folder names)
  • user names (files stored in user profile directory) Used for social engineering attacks
  • other products my company is working on
  • release dates (based on time-stamps in folder names)


I hope I made it clear, why saving a list of recently opened files with or without full path is a bad idea.

Please disable the saving of the recently opened files in the .curaproject.3mf files.

If you absolutely need this for any customer, then make it an opt-in option in the user preference dialog.

Share this post

Link to post
Share on other sites

It's a good point, actually. We just put the entire configuration file there, and that could contain the most recent load path, save path, recently opened files and the location of the engine, which are all paths on the user's file system and could be sensitive.

I'll see if I can remove them for the next release.

  • Like 1

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Important Information

Welcome to the Ultimaker Community of 3D printing experts. Visit the following links to read more about our Terms of Use or our Privacy Policy. Thank you!