CVE-2025-61258
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-16

Assigner: MITRE

Description
An issue was discovered in Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service via crafted content-length value mismatching the body length.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
outsystems platform_server 11.18.1.37828
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by sending crafted HTTP POST requests with a mismatched Content-Length header that is larger than the actual body size, and observing if the server hangs or maintains connections indefinitely. Tools such as 'slowhttptest' can be used to simulate this low-and-slow attack (R.U.D.Y). Monitoring for an unusually high number of slow or hanging HTTP POST connections can also indicate exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include configuring hard timeouts to terminate lingering TCP and HTTP sessions after a reasonable period, limiting the maximum number of concurrent connections from a single source, and implementing general brute-force attack prevention mechanisms. There is no official patch or fix available yet. [2]

Executive Summary

This vulnerability in Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service by sending a crafted content-length value that does not match the actual body length of the request.

Impact Analysis

The impact of this vulnerability is a denial of service condition, which means an attacker can disrupt the normal operation of the Outsystems Platform Server, potentially making the service unavailable to legitimate users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61258. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart