CVE-2025-0539: 
Octopus Deploy vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Microsoft Windows versions of Octopus Deploy (CVE-2025-0539). The vulnerability was discovered on November 18, 2024, and a patch was released on January 15, 2025. The vulnerability affects multiple versions of Octopus Server, including all 2.6.x, 3.x, 4.x versions, and all versions from 2018.x through 2024.4.x before 2024.4.7065 (Octopus Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) with a CVSS v4.0 Base Score of 5.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N. The vulnerability is identified under CWE-918 (Server-Side Request Forgery) classification (NVD).

When exploited, this vulnerability allows a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself. The server can be coerced into sending server-side requests that contain authentication material, potentially leading to unauthorized access to sensitive systems (Octopus Advisory).

Octopus Deploy has released fixed versions 2024.4.7065 and 2024.3.13071 to address this vulnerability. Users are recommended to upgrade to the latest version (2025.1.9982). For those unable to upgrade to the latest version, specific version upgrades are recommended based on the currently running version. There are no known mitigations other than upgrading to a fixed version (Octopus Advisory).