Server-Side Request Forgery in Octopus Deploy by Microsoft
CVE-2025-0539

5.9MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 10 April 2025

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2025-0539?

In specific versions of Octopus Deploy running on Microsoft Windows, a vulnerability exists where the server can be manipulated into executing server-side requests that inadvertently include sensitive authentication details. This could allow an attacker with the right access to exploit the service, potentially gaining control over the account managing Octopus Server and jeopardizing the underlying host infrastructure.

Affected Version(s)

Octopus Server Windows 2.6.0 < 2024.3.13071

Octopus Server Windows 2024.4.401 < 2024.4.7065

References

https://advisories.octopus.com/post/2025/sa2025-06

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Jan 17, 2025

Credit

This vulnerability was found by Edward Prior (@JankhJankh)