CVE-2025-59535 Overview
DNN (formerly DotNetNuke) is an open-source content management system (CMS) built on the Microsoft .NET stack. CVE-2025-59535 affects DNN Platform versions prior to 10.1.0 and allows attackers to load arbitrary installed themes through query string parameters. The flaw enables unauthenticated remote attackers to trigger installed but unused themes on client sessions, potentially activating dormant vulnerabilities in those themes without the site owner's knowledge. The maintainers patched the issue in version 10.1.0 by introducing an explicit AllowOverrideThemeViaQueryString host setting that defaults to false.
Critical Impact
Unauthenticated attackers can force victims' browsers to load arbitrary installed DNN themes via crafted URLs, chaining latent theme vulnerabilities into active attack surface [CWE-20].
Affected Products
- DNN Platform (formerly DotNetNuke) versions prior to 10.1.0
- Deployments with additional installed themes beyond the active theme
- Microsoft IIS-hosted DNN CMS instances
Discovery Timeline
- 2025-09-22 - CVE-2025-59535 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-59535
Vulnerability Analysis
DNN Platform allowed the active skin (theme) to be overridden through query string parameters without any host-level opt-in. The theme resolution logic in DNN Platform/Library/UI/Skins/Skin.cs accepted user-supplied theme identifiers and loaded the corresponding skin package for the current request. Any theme present on the file system, active or not, became reachable through a crafted URL.
The impact depends on the security posture of installed themes. If a site retained an old, vulnerable, or third-party theme, an attacker could invoke that theme on a victim's session and exploit weaknesses such as cross-site scripting or unsafe script inclusion. The vulnerability falls under improper input validation [CWE-20].
Root Cause
The skin loader trusted a query string value as a legitimate theme selector without validating whether administrators had opted in to runtime theme overrides. No configuration flag gated this behavior, and no allowlist restricted which themes could be requested. Consequently, uninstalled-but-present skins remained reachable through the public HTTP surface.
Attack Vector
An unauthenticated attacker constructs a URL to any DNN page and appends the theme override query parameter referencing an installed but non-default theme. When a victim visits the crafted link, the DNN server renders the page using the attacker-chosen skin. If that skin contains client-side vulnerabilities, the attacker can leverage them against the victim's browser session.
// Security patch in HostSettings.cs - introduces an opt-in flag
/// <inheritdoc />
public bool IsLocked => hostSettingsService.GetBoolean("IsLocked", false);
/// <inheritdoc />
public bool AllowOverrideThemeViaQueryString => hostSettingsService.GetBoolean("AllowOverrideThemeViaQueryString", false);
/// <inheritdoc />
public PerformanceSettings PerformanceSetting
{
// Source: https://github.com/dnnsoftware/Dnn.Platform/commit/72f30f69fd2214d77f6c2577dfcca495a24caf5c
The patch adds a new host setting, AllowOverrideThemeViaQueryString, defaulting to false. Skin.cs was updated to consult this setting and the DotNetNuke.Security namespace before honoring any query-string theme override. See the DNN Platform commit 72f30f6 for the complete fix.
Detection Methods for CVE-2025-59535
Indicators of Compromise
- HTTP requests to DNN pages containing skin or theme override query parameters referencing non-default themes
- Repeated requests from a single source cycling through installed theme names
- Unexpected rendering of legacy or third-party themes in web server access logs
- Referrer chains where external sites link to DNN URLs with theme override parameters
Detection Strategies
- Parse IIS and reverse proxy logs for query strings that override skin selection on DNN endpoints
- Compare rendered theme values in application telemetry against the site's configured default theme
- Alert on outbound links that append theme override parameters when routed through email or messaging gateways
- Correlate suspicious query strings with subsequent client-side script errors or XSS payload patterns
Monitoring Recommendations
- Enable verbose HTTP request logging on all DNN portals and forward logs to a centralized analytics platform
- Track the version of DNN Platform deployed across environments to confirm remediation coverage
- Baseline normal query parameter usage per portal and flag statistical anomalies
How to Mitigate CVE-2025-59535
Immediate Actions Required
- Upgrade DNN Platform to version 10.1.0 or later on all production and staging instances
- Inventory installed themes and remove any unused, legacy, or third-party skins from the file system
- Verify that the new AllowOverrideThemeViaQueryString host setting remains at its default value of false
- Review web application firewall (WAF) rules to block skin override query parameters on unpatched systems
Patch Information
The issue is resolved in DNN Platform version 10.1.0. Details of the fix are available in the GitHub Security Advisory GHSA-wq2j-w9pm-7x2p and the remediation commit. The patch adds an opt-in host setting and gates theme override logic in Skin.cs.
Workarounds
- Deploy WAF rules that strip or reject query parameters used to override the active DNN skin
- Delete unused theme directories from the DNN installation folder to reduce reachable attack surface
- Restrict administrative access to host settings so operators cannot enable the override flag unintentionally after upgrade
# Example WAF rule (ModSecurity) to block skin override query parameters on unpatched hosts
SecRule ARGS_NAMES "@rx ^(skinsrc|containersrc|skin|container)$" \
"id:1059535,phase:2,deny,status:403,log,\
msg:'CVE-2025-59535: DNN theme override query parameter blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

