CVE-2025-32372 — DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF)

Description

A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. ### Impact This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls.

How to fix CVE-2025-32372

To remediate CVE-2025-32372, upgrade the affected package to a fixed version below.

—upgrade to 9.13.8 or later

Is CVE-2025-32372 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.13.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-32372
PATCHgithub.com/dnnsoftware/Dnn.Platform
WEBgithub.com/dnnsoftware/Dnn.Platform/commit/4721dd9eef846936d3b1a3676499e46968d15feb
WEBgithub.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-3f7v-qx94-666m