CVE-2025-0526

Summary

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2022.4.791 < 2024.3.13097affected
Octopus DeployOctopus Server2024.4.401 < 2024.4.7091affected

Weaknesses

  • File Upload Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References