CVE-2025-0588: 
Octopus Deploy vulnerability analysis and mitigation

CVE-2025-0588 is a vulnerability discovered in Octopus Server that was reported on February 10, 2025. The vulnerability affects all 2020.x, 2021.x, 2022.x, 2023.x versions, all 2024.1.x, 2024.2.x versions, all 2024.3.x versions before 2023.3.13097, and all 2024.4.x versions before 2024.4.7091. The vulnerability was discovered by Edward Prior (@JankhJankh) on November 18, 2024, and a patch was released on January 22, 2025 (Octopus Advisory).

The vulnerability allows users with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header, an attacker could cause all subsequent server responses to return 500 errors, making the site mostly unusable. The vulnerability has been assigned a CVSS v4.0 score of 5.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

The primary impact of this vulnerability is the ability to render the Octopus Server site mostly unusable through a denial of service condition. The attacker could control the denial of service state by setting and unsetting the referrer header with a valid CSRF token, while preventing the generation of new CSRF tokens (Octopus Advisory).

Octopus Deploy recommends upgrading to version 2024.4.7132 or later to address this vulnerability. For users unable to upgrade to the latest version, specific version upgrades are recommended: users on 2020.x through 2024.3.x should upgrade to 2024.3.13097 or greater, while users on 2024.4.x should upgrade to 2024.4.7091 or greater. There are no known mitigations other than upgrading to a fixed version (Octopus Advisory).