CVE-2025-32355 is a vulnerability in Rocket TRUfusion Enterprise versions through 7.10.4.0 involving a reverse proxy component that handles incoming HTTP connections. The reverse proxy is misconfigured such that it accepts absolute URLs in the HTTP request line, rather than restricting requests to relative paths. This flaw allows an attacker to craft HTTP requests that cause the proxy to fetch arbitrary resources specified by the absolute URL. This behavior can be exploited to perform server-side request forgery (SSRF), where the proxy server is tricked into making unintended requests to internal or external systems. SSRF can lead to unauthorized access to internal services, information disclosure, or facilitate further attacks such as port scanning, internal network reconnaissance, or exploitation of other vulnerabilities within the internal network. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by any attacker with network access to the proxy. The CVSS 7.9 score reflects the network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on confidentiality and integrity. The vulnerability is tracked under CWE-918, which covers SSRF issues. No patches or official fixes are listed yet, and no known exploits have been observed in the wild as of the publication date. Organizations using Rocket TRUfusion Enterprise should monitor for updates and consider interim mitigations.

The impact of CVE-2025-32355 is significant for organizations using Rocket TRUfusion Enterprise, especially those exposing the reverse proxy to untrusted networks. Exploitation can lead to unauthorized internal network access, allowing attackers to bypass perimeter defenses and interact with internal services that are otherwise inaccessible externally. This can result in sensitive data exposure, disruption of internal services, or pivoting to further compromise the network. The vulnerability undermines confidentiality and integrity by enabling attackers to retrieve or manipulate internal resources. Given the high CVSS score and the lack of required authentication, the threat is severe for enterprises relying on this software for critical operations. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that use Rocket TRUfusion Enterprise are particularly at risk due to the potential sensitivity of internal resources accessible via SSRF.

To mitigate CVE-2025-32355, organizations should first apply any official patches or updates from Rocket Software once available. In the absence of patches, administrators should review and harden the reverse proxy configuration to reject HTTP requests containing absolute URLs in the request line, enforcing strict validation to allow only relative paths. Network segmentation should be enhanced to limit the proxy server's ability to access sensitive internal resources. Implementing strict egress filtering and firewall rules can prevent the proxy from making unauthorized outbound requests. Monitoring and logging of proxy requests should be increased to detect anomalous or suspicious URL requests indicative of SSRF attempts. Additionally, employing web application firewalls (WAFs) with SSRF detection capabilities can provide an additional layer of defense. Regular security assessments and penetration testing focusing on SSRF vectors are recommended to identify and remediate similar misconfigurations. Finally, educating network and security teams about SSRF risks and detection techniques will improve overall resilience.