CVE-2025-61258
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| outsystems | platform_server | 11.18.1.37828 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service by sending a crafted content-length value that does not match the actual body length of the request.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition, which means an attacker can disrupt the normal operation of the Outsystems Platform Server, potentially making the service unavailable to legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests with a mismatched Content-Length header that is larger than the actual body size, and observing if the server hangs or maintains connections indefinitely. Tools such as 'slowhttptest' can be used to simulate this low-and-slow attack (R.U.D.Y). Monitoring for an unusually high number of slow or hanging HTTP POST connections can also indicate exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include configuring hard timeouts to terminate lingering TCP and HTTP sessions after a reasonable period, limiting the maximum number of concurrent connections from a single source, and implementing general brute-force attack prevention mechanisms. There is no official patch or fix available yet. [2]