CVE-2025-54425 (GCVE-0-2025-54425)
Vulnerability from cvelistv5
Published
2025-07-30 13:41
Modified
2025-07-30 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| umbraco | Umbraco-CMS |
Version: >= 13.0.0, < 13.9.3 Version: >= 15.0.0, < 15.4.4 Version: >= 16.0.0, < 16.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T14:06:04.811624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T14:06:12.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco-CMS",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.0.0, \u003c 13.9.3"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.4.4"
},
{
"status": "affected",
"version": "\u003e= 16.0.0, \u003c 16.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There\u0027s an issue when these two things are used together, where caching doesn\u0027t vary by the header that contains the API key. As such, it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T13:41:07.799Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr"
},
{
"name": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e"
},
{
"name": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0"
},
{
"name": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a"
},
{
"name": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api"
}
],
"source": {
"advisory": "GHSA-75vq-qvhr-7ffr",
"discovery": "UNKNOWN"
},
"title": "Umbraco\u0027s Delivery API allows for cached requests to be returned with an invalid API key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54425",
"datePublished": "2025-07-30T13:41:07.799Z",
"dateReserved": "2025-07-21T23:18:10.282Z",
"dateUpdated": "2025-07-30T14:06:12.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54425\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-30T14:15:29.073\",\"lastModified\":\"2025-07-31T18:42:37.870\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There\u0027s an issue when these two things are used together, where caching doesn\u0027t vary by the header that contains the API key. As such, it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.\"},{\"lang\":\"es\",\"value\":\"Umbraco es un CMS ASP.NET. En las versiones 13.0.0 a 13.9.2, 15.0.0 a 15.4.1 y 16.0.0 a 16.1.0, se puede restringir el acceso p\u00fablico a la API de entrega de contenido, donde se debe proporcionar una clave de API en un encabezado para autorizar la solicitud. Tambi\u00e9n es posible configurar el almacenamiento en cach\u00e9 de salida, de modo que las salidas de la API de entrega se almacenen en cach\u00e9 durante un per\u00edodo, lo que mejora el rendimiento. Existe un problema cuando se utilizan estas dos opciones juntas: el almacenamiento en cach\u00e9 no var\u00eda seg\u00fan el encabezado que contiene la clave de API. Por lo tanto, es posible que un usuario sin una clave de API v\u00e1lida recupere una respuesta para una ruta y consulta determinadas si se ha solicitado recientemente y se ha almacenado en cach\u00e9 mediante una solicitud con una clave v\u00e1lida. Esto se solucion\u00f3 en las versiones 13.9.3, 15.4.4 y 16.1.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54425\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-30T14:06:04.811624Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-30T14:06:06.987Z\"}}], \"cna\": {\"title\": \"Umbraco\u0027s Delivery API allows for cached requests to be returned with an invalid API key\", \"source\": {\"advisory\": \"GHSA-75vq-qvhr-7ffr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"umbraco\", \"product\": \"Umbraco-CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 13.0.0, \u003c 13.9.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 15.0.0, \u003c 15.4.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 16.0.0, \u003c 16.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api\", \"name\": \"https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There\u0027s an issue when these two things are used together, where caching doesn\u0027t vary by the header that contains the API key. As such, it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-30T13:41:07.799Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54425\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-30T14:06:12.115Z\", \"dateReserved\": \"2025-07-21T23:18:10.282Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-30T13:41:07.799Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…