CVE-2025-0539
Severity CVSS v4.0:
MEDIUM
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
10/04/2025
Last modified:
02/07/2025
Description
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
Impact
Base Score 4.0
5.90
Severity 4.0
MEDIUM
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2024.3.13071 (excluding) |
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:* | 2024.4.401 (including) | 2024.4.7065 (excluding) |
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page