ghsa-75vq-qvhr-7ffr
Vulnerability from github
Published
2025-07-29 19:10
Modified
2025-07-30 15:42
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
Details

Impact

Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request.

It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.

There's an issue when these two things are used together though in that the caching doesn't vary by the header that contains the API key. As such it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.

Patches

Patches will be available in 13.9.3, 15.4.4 and 16.1.1.

Workarounds

Workaround is to remove or reduce the time period of the output caching or to provide other restrictions to access the delivery API such as by IP.

References

Content delivery API documentation: https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.9.2"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 15.4.3"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 16.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T19:10:39Z",
    "nvd_published_at": "2025-07-30T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUmbraco\u0027s [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted from public access such that an API key must be provided in a header to authorize the request.\n\nIt\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.\n\nThere\u0027s an issue when these two things are used together though in that the caching doesn\u0027t vary by the header that contains the API key.  As such it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.\n\n### Patches\nPatches will be available in 13.9.3, 15.4.4 and 16.1.1.\n\n### Workarounds\nWorkaround is to remove or reduce the time period of the output caching or to provide other restrictions to access the delivery API such as by IP.\n\n### References\nContent delivery API documentation: https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api",
  "id": "GHSA-75vq-qvhr-7ffr",
  "modified": "2025-07-30T15:42:05Z",
  "published": "2025-07-29T19:10:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54425"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a"
    },
    {
      "type": "WEB",
      "url": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco Delivery API allows for cached requests to be returned with an invalid API key"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.