Vulnerability Description
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octopus | Octopus Server | >= 2020.1.0, < 2024.3.13097 |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://advisories.octopus.com/post/2024/sa2025-05/Broken Link
- https://advisories.octopus.com/post/2024/sa2025-05/Broken Link
- https://advisories.octopus.com/post/2025/sa2025-05/Vendor Advisory
FAQ
What is CVE-2025-0588?
CVE-2025-0588 is a vulnerability with a CVSS score of 4.9 (MEDIUM). In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user co...
How severe is CVE-2025-0588?
CVE-2025-0588 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-0588?
Check the references section above for vendor advisories and patch information. Affected products include: Octopus Octopus Server, Linux Linux Kernel, Microsoft Windows.