CVE-2025-54425
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-09-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| umbraco | umbraco_cms | From 13.0.0 (inc) to 13.9.3 (exc) |
| umbraco | umbraco_cms | From 15.0.0 (inc) to 15.4.4 (exc) |
| umbraco | umbraco_cms | From 16.0.0 (inc) to 16.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Umbraco CMS versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1, and 16.0.0 through 16.1.0. When the content delivery API is restricted by requiring an API key in a header for authorization, and output caching is enabled, the caching mechanism does not differentiate responses based on the API key header. This means that a user without a valid API key can receive cached responses that were originally requested with a valid API key, potentially exposing restricted content.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access cached content from the content delivery API that should be restricted by API key authorization. This can lead to unintended data exposure, where sensitive or restricted content is accessible without proper authentication.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Umbraco to version 13.9.3, 15.4.4, or 16.1.1 or later, where the caching issue with the API key header has been fixed. Until then, consider disabling output caching on the content delivery API to prevent unauthorized access via cached responses.