CVE-2025-32355 identifies a vulnerability in Rocket TRUfusion Enterprise versions through 7.10.4.0 related to the handling of HTTP requests by its reverse proxy component. The proxy is misconfigured to accept HTTP request lines containing absolute URLs rather than relative paths. This misconfiguration allows an attacker to specify arbitrary external or internal URLs in the request line, causing the proxy to fetch and load those resources. Such behavior can be exploited to perform server-side request forgery (SSRF), where the attacker tricks the server into making unintended requests to internal systems or external endpoints. This can lead to unauthorized access to internal services, data exfiltration, or pivoting within a network. The vulnerability does not require authentication or user interaction, increasing its risk profile. No CVSS score has been assigned yet, and no public exploits have been reported. The lack of patch links suggests that either a fix is pending or not publicly disclosed. The vulnerability stems from improper validation and filtering of HTTP request lines in the reverse proxy, a critical component that should enforce strict request handling policies to prevent abuse.

For European organizations, this vulnerability could have significant consequences, especially for those using Rocket TRUfusion Enterprise in sensitive environments such as government, finance, or critical infrastructure. Exploitation could allow attackers to bypass perimeter defenses by leveraging the proxy to access internal-only resources, potentially exposing confidential data or enabling lateral movement within networks. The ability to specify arbitrary URLs could also be used to launch further attacks, including scanning internal networks, accessing metadata services, or exploiting other internal vulnerabilities. This could lead to data breaches, service disruptions, or compromise of critical systems. The absence of authentication requirements and user interaction lowers the barrier for exploitation, increasing the threat level. Organizations relying on Rocket TRUfusion for secure communications or as a gateway component should consider this a high-risk issue. The impact is compounded by the potential difficulty in detecting such proxy misuse without proper monitoring and logging.

Immediate mitigation should focus on reconfiguring the reverse proxy to reject HTTP request lines containing absolute URLs, enforcing strict validation to allow only relative paths. Network segmentation and access controls should be reviewed to limit the proxy's ability to reach sensitive internal resources. Organizations should monitor proxy logs for unusual requests that include absolute URLs or unexpected destinations. Deploying web application firewalls (WAFs) with rules to detect and block SSRF attempts can provide additional protection. Since no official patches are currently linked, organizations should engage with Rocket Software support to obtain updates or workarounds. Implementing strict egress filtering on the proxy server to restrict outbound requests to trusted destinations can reduce risk. Finally, conducting internal penetration testing focusing on SSRF and proxy misconfigurations can help identify and remediate related weaknesses.