CVE-2025-61258 is a vulnerability identified in Outsystems Platform Server version 11.18.1.37828 that allows remote attackers to cause a denial of service (DoS) condition. The issue stems from improper handling of the HTTP Content-Length header, where a crafted request contains a content-length value that does not match the actual length of the HTTP body. This mismatch can lead the server to enter an unstable state, potentially crashing or becoming unresponsive, thereby denying legitimate users access to services. The vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), highlighting a failure to properly validate and process HTTP headers and body content consistently. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning the attack can be performed remotely without privileges or user interaction and impacts availability only. Despite the supplier's note that they could not reproduce the issue, the vulnerability remains published and unpatched, posing a risk to affected systems. No known exploits have been reported in the wild, but the potential for disruption exists, especially in environments where Outsystems Platform Server is critical for business operations. The lack of a patch necessitates immediate attention to detection and mitigation strategies to prevent exploitation.

For European organizations, exploitation of this vulnerability could lead to denial of service conditions on Outsystems Platform Server instances, resulting in downtime and disruption of business-critical applications built on this platform. This can affect service availability, leading to operational delays, loss of customer trust, and potential financial losses. Organizations in sectors such as finance, healthcare, and government that rely on Outsystems for rapid application development and deployment may experience significant impact. Additionally, prolonged outages could affect compliance with regulatory requirements related to service availability and incident response. Given the remote and unauthenticated nature of the attack, threat actors could easily target exposed servers, increasing the risk of widespread disruption. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop proof-of-concept exploits. The inability of the supplier to reproduce the issue may delay patch development, prolonging exposure.

1. Implement strict network-level filtering to restrict access to Outsystems Platform Server to trusted IP addresses and internal networks only. 2. Deploy web application firewalls (WAFs) capable of detecting and blocking malformed HTTP requests, specifically those with inconsistent Content-Length headers. 3. Monitor server logs and network traffic for anomalies such as mismatched content-length values or repeated malformed requests indicative of attempted exploitation. 4. Establish rate limiting on HTTP requests to reduce the risk of DoS attacks exploiting this vulnerability. 5. Engage with Outsystems support and subscribe to security advisories to obtain patches or workarounds as soon as they become available. 6. Conduct internal testing to attempt reproduction of the issue in a controlled environment to better understand potential impacts and develop custom mitigations. 7. Prepare incident response plans to quickly address service disruptions potentially caused by exploitation attempts. 8. Consider deploying redundancy and failover mechanisms to maintain service availability in case of an attack.