CVE-2025-54425

EPSS 0.31%
Veröffentlicht 30.07.2025 13:41:07
Zuletzt bearbeitet 22.09.2025 13:53:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Umbraco's Delivery API allows for cached requests to be returned with an invalid API key

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Umbraco ≫ Umbraco Cms Version >= 13.0.0 < 13.9.3

Umbraco ≫ Umbraco Cms Version >= 15.0.0 < 15.4.4

Umbraco ≫ Umbraco Cms Version >= 16.0.0 < 16.1.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.221

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr

Third Party Advisory

https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e

Patch

https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0

Patch

https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a

Patch

https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api

Product

https://nvd.nist.gov/vuln/detail/CVE-2025-54425

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54425

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54425

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-54425