CVE-2025-0588

Medium CVSS: 5.9

In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.

Vendor

Octopus

Product

Octopus Server

CWE

CWE-113

Yayın Tarihi

2025-02-11 12:15:34

Güncelleme

2025-07-02 17:24:09

Source Identifier

security@octopus.com

KEV Date Added

Kategoriler

CWE-113 Octopus Server MEDIUM Octopus 2025

Referanslar

https://advisories.octopus.com/post/2024/sa2025-05/ https://advisories.octopus.com/post/2024/sa2025-05/ https://advisories.octopus.com/post/2025/sa2025-05/

Benzer Kayıtlar

Low

CVE-2026-3237

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change…

Low

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting i…

Medium

CVE-2026-0704

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API…

Medium

CVE-2025-0539

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests th…

Low

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could con…

Low

CVE-2025-0526

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API…