Platform
dotnet
Component
microsoft-power-apps
CVE-2025-47733 describes a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Power Apps. This flaw allows an unauthorized attacker to disclose sensitive information by manipulating the application to make requests to unintended internal or external resources. The vulnerability affects versions prior to the fixed version. Microsoft has released a patch to address this issue.
The SSRF vulnerability in Microsoft Power Apps poses a significant risk because it enables attackers to bypass security controls and access resources they shouldn't. An attacker could potentially use this vulnerability to scan internal networks, access sensitive data stored on internal servers, or even interact with other internal services. This could lead to data breaches, unauthorized access to systems, and potential disruption of business operations. The ability to make requests on behalf of the application opens up a wide range of attack vectors, making it a high-severity vulnerability.
CVE-2025-47733 was publicly disclosed on 2025-05-08. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks or access sensitive data. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. No known public proof-of-concept exploits are currently available, but the ease of SSRF exploitation suggests this could change rapidly. The vulnerability is listed on the CISA KEV catalog.
Exploit Status
EPSS
2.92% (86% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47733 is to upgrade Microsoft Power Apps to the fixed version. Until the upgrade is possible, consider implementing network segmentation to restrict the application's access to internal resources. Implement strict input validation and sanitization to prevent attackers from manipulating the application's requests. Monitor Power Apps logs for suspicious outbound requests that could indicate exploitation attempts. Review and update any custom connectors to ensure they do not introduce SSRF vulnerabilities.
Microsoft has released a security update to address this vulnerability. It is recommended to apply the latest available update for Microsoft Power Pages as soon as possible. See the Microsoft security bulletin for more information and specific instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47733 is a critical SSRF vulnerability in Microsoft Power Apps that allows unauthorized attackers to disclose information over a network by manipulating application requests.
You are affected if you are using Microsoft Power Apps versions prior to the fixed version. Check your version and upgrade immediately.
Upgrade Microsoft Power Apps to the fixed version. Implement network segmentation and strict input validation as interim measures.
While no public exploits are currently available, the vulnerability's nature suggests a high likelihood of exploitation. Monitor your environment closely.
Refer to the official Microsoft Security Update Guide for CVE-2025-47733 for detailed information and the fixed version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.