CVE-2025-54425

July 31, 2025, 6:42 p.m.

5.3
Medium

Description

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.

Product(s) Impacted

Vendor Product Versions
Umbraco
  • Umbraco
  • *, 13.9.3, 15.4.4, 16.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a umbraco umbraco / 13.0.0-13.9.2 / / / / / /
a umbraco umbraco / 15.0.0-15.4.1 / / / / / /
a umbraco umbraco / 16.0.0-16.1.0 / / / / / /
a umbraco umbraco 13.9.3 / / / / / / /
a umbraco umbraco 15.4.4 / / / / / / /
a umbraco umbraco 16.1.1 / / / / / / /

References

https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api
https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e
https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0
https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr

Tags

security-advisories@github.com
CWE-200
2025-07-30
CVE-2025-54425

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: July 30, 2025, 2:15 p.m.
Last Modified: July 31, 2025, 6:42 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.