CVE-2025-32374 Overview
CVE-2025-32374 is a denial of service vulnerability in DNN Platform, the open-source web content management system formerly known as DotNetNuke. The flaw allows unauthenticated attackers to submit specially crafted data through the public registration form, causing resource exhaustion on the target server. The vulnerability is categorized under [CWE-770: Allocation of Resources Without Limits or Throttling] and is fixed in DNN version 9.13.8.
Critical Impact
Remote, unauthenticated attackers can trigger denial of service conditions against DNN-hosted websites through the public registration endpoint, disrupting availability of CMS-driven applications.
Affected Products
- DNN Platform (formerly DotNetNuke) versions prior to 9.13.8
- DNN-based websites with public user registration enabled
- Microsoft ecosystem deployments using DNN as their CMS
Discovery Timeline
- 2025-04-09 - CVE-2025-32374 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2025-32374
Vulnerability Analysis
The vulnerability resides in DNN's public registration form handler. The application accepts user-supplied registration data without enforcing adequate limits on resource consumption during processing. An attacker submitting specially crafted input forces the application to allocate excessive server resources, degrading or halting service availability.
The issue maps to [CWE-770], which describes scenarios where software allocates reusable resources without imposing limits on quantity or size. Network-accessible exploitation requires no privileges or user interaction, and the EPSS score of 0.616% places it in the 70th percentile for exploitation likelihood.
Root Cause
DNN's registration workflow does not adequately validate or throttle input parameters before triggering downstream processing logic. Specially crafted registration payloads consume disproportionate CPU, memory, or backend resources. The lack of input boundary enforcement enables a single anonymous request to impact server availability.
Attack Vector
Attackers reach the registration form over HTTP/HTTPS without authentication. The exploit requires only that public registration be enabled — a common default in community-oriented DNN deployments. A remote attacker submits malformed or oversized field values to the registration endpoint, triggering the resource exhaustion condition described in the GitHub Security Advisory. No verified public proof-of-concept code is available at this time.
Detection Methods for CVE-2025-32374
Indicators of Compromise
- Spikes in HTTP POST requests to DNN registration endpoints such as /Register or /Default.aspx?tabid=<registration-tab>
- Elevated CPU or memory utilization on IIS worker processes hosting DNN sites
- Slow response times or HTTP 503 errors correlated with anonymous registration traffic
- Repeated registration submissions from a single source IP or distributed across botnet nodes
Detection Strategies
- Inspect web server logs for high-volume or anomalous POST traffic against registration URLs
- Correlate application pool restarts and worker process recycling events with inbound request patterns
- Monitor request body sizes submitted to registration endpoints for outliers
Monitoring Recommendations
- Enable Web Application Firewall (WAF) rules that rate-limit anonymous POST requests to registration endpoints
- Configure IIS Failed Request Tracing for the registration handlers to capture forensic context
- Alert on sustained CPU saturation of w3wp.exe processes serving DNN sites
How to Mitigate CVE-2025-32374
Immediate Actions Required
- Upgrade DNN Platform to version 9.13.8 or later, which contains the official fix
- Disable public user registration temporarily if patching cannot be completed immediately
- Deploy WAF rate limiting on /Register and equivalent registration tabs
Patch Information
DNN Software released version 9.13.8 to resolve this vulnerability. Administrators should follow the upgrade guidance in the DNN Platform Security Advisory GHSA-vc6j-mcqj-rgfp. Backup the DNN database and Portals directory before applying the upgrade.
Workarounds
- Set registration mode to "None" or "Private" in the Site Settings until the patch is applied
- Place the registration page behind a CAPTCHA or reverse proxy enforcing request size limits
- Restrict access to the registration endpoint by IP allowlist where business requirements permit
# Configuration example - disable public registration via DNN Site Settings
# Navigate to: Persona Bar > Settings > Security > Member Accounts
# Set: User Registration = None
# Or apply IIS request filtering to limit POST body size
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="16384" />
</requestFiltering>
</security>
</system.webServer>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
