Denial of Service Vulnerability in Octopus Server by Octopus Deploy
CVE-2025-0588

5.9MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 11 February 2025

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2025-0588?

In certain versions of Octopus Server, a vulnerability allows users with adequate permissions to manipulate custom headers in server responses. By crafting a specific referrer header, an attacker could cause all subsequent responses to result in server errors (500), leading to significant disruption and a denial of service condition. This manipulation can be repeatedly enabled or disabled to maintain service unavailability, creating a persistent denial of service state. Additionally, an attacker requires a valid CSRF token to execute this exploit while being unable to generate new tokens.

Affected Version(s)

Octopus Server Windows 2020.1.0 < 2024.3.13097

Octopus Server Windows 2024.4.401 < 2024.4.7091

References

https://advisories.octopus.com/post/2024/sa2025-05/

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

This vulnerability was found by Edward Prior (@JankhJankh)