CVE-2025-0588: CSRF
First published: Tue Feb 11 2025(Updated: )
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
Credit: security@octopus.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Octopus Deploy |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-0588?
CVE-2025-0588 is classified as a high severity vulnerability due to its potential to disrupt server responses.
How do I fix CVE-2025-0588?
To fix CVE-2025-0588, update to the latest version of Octopus Server where the vulnerability has been addressed.
What impact does CVE-2025-0588 have on Octopus Server?
CVE-2025-0588 allows a user to manipulate server responses, potentially causing 500 errors and rendering the site unavailable.
Can CVE-2025-0588 be exploited remotely?
Yes, CVE-2025-0588 can be exploited remotely by any user with sufficient access to the Octopus Server.
Which versions of Octopus Server are affected by CVE-2025-0588?
CVE-2025-0588 affects all versions of Octopus Server prior to the security fix in the latest release.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/last-modified-date
- agent/severity
- agent/author
- agent/source
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/octopus deploy
- canonical/octopus deploy