CVE-2025-0539 | THREATINT

Description

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.

PUBLISHED Reserved 2025-01-17 | Published 2025-04-10 | Updated 2025-04-15 | Assigner Octopus

MEDIUM: 5.9CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

Server Side Request Forgery

Product status

Default status

unaffected

2.6.0 (custom) before 2024.3.13071

affected

2024.4.401 (custom) before 2024.4.7065

affected

Credits

This vulnerability was found by Edward Prior (@JankhJankh) finder

References

advisories.octopus.com/post/2025/sa2025-06

cve.org (CVE-2025-0539)

nvd.nist.gov (CVE-2025-0539)

Download JSON