CVE-2025-54425
Umbraco's Delivery API allows for cached requests to be returned with an invalid API key
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.
Umbraco es un CMS ASP.NET. En las versiones 13.0.0 a 13.9.2, 15.0.0 a 15.4.1 y 16.0.0 a 16.1.0, se puede restringir el acceso público a la API de entrega de contenido, donde se debe proporcionar una clave de API en un encabezado para autorizar la solicitud. También es posible configurar el almacenamiento en caché de salida, de modo que las salidas de la API de entrega se almacenen en caché durante un período, lo que mejora el rendimiento. Existe un problema cuando se utilizan estas dos opciones juntas: el almacenamiento en caché no varía según el encabezado que contiene la clave de API. Por lo tanto, es posible que un usuario sin una clave de API válida recupere una respuesta para una ruta y consulta determinadas si se ha solicitado recientemente y se ha almacenado en caché mediante una solicitud con una clave válida. Esto se solucionó en las versiones 13.9.3, 15.4.4 y 16.1.1.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-07-21 CVE Reserved
- 2025-07-30 CVE Published
- 2025-07-31 CVE Updated
- 2025-08-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0 | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a | X_refsource_misc | |
| https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Umbraco Search vendor "Umbraco" | Umbraco-CMS Search vendor "Umbraco" for product "Umbraco-CMS" | >= 13.0.0 < 13.9.3 Search vendor "Umbraco" for product "Umbraco-CMS" and version " >= 13.0.0 < 13.9.3" | en |
Affected
| ||||||
| Umbraco Search vendor "Umbraco" | Umbraco-CMS Search vendor "Umbraco" for product "Umbraco-CMS" | >= 15.0.0 < 15.4.4 Search vendor "Umbraco" for product "Umbraco-CMS" and version " >= 15.0.0 < 15.4.4" | en |
Affected
| ||||||
| Umbraco Search vendor "Umbraco" | Umbraco-CMS Search vendor "Umbraco" for product "Umbraco-CMS" | >= 16.0.0 < 16.1.1 Search vendor "Umbraco" for product "Umbraco-CMS" and version " >= 16.0.0 < 16.1.1" | en |
Affected
| ||||||