CVE-2025-54425 (GCVE-0-2025-54425)

Vulnerability from cvelistv5 – Published: 2025-07-30 13:41 – Updated: 2025-07-30 14:06
VLAI?
Title
Umbraco's Delivery API allows for cached requests to be returned with an invalid API key
Summary
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
umbraco Umbraco-CMS Affected: >= 13.0.0, < 13.9.3
Affected: >= 15.0.0, < 15.4.4
Affected: >= 16.0.0, < 16.1.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54425",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-30T14:06:04.811624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T14:06:12.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Umbraco-CMS",
          "vendor": "umbraco",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.0.0, \u003c 13.9.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 15.0.0, \u003c 15.4.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0, \u003c 16.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There\u0027s an issue when these two things are used together, where caching doesn\u0027t vary by the header that contains the API key. As such, it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-30T13:41:07.799Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr"
        },
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e"
        },
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0"
        },
        {
          "name": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a"
        },
        {
          "name": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api"
        }
      ],
      "source": {
        "advisory": "GHSA-75vq-qvhr-7ffr",
        "discovery": "UNKNOWN"
      },
      "title": "Umbraco\u0027s Delivery API allows for cached requests to be returned with an invalid API key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54425",
    "datePublished": "2025-07-30T13:41:07.799Z",
    "dateReserved": "2025-07-21T23:18:10.282Z",
    "dateUpdated": "2025-07-30T14:06:12.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54425\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-30T14:06:04.811624Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-30T14:06:06.987Z\"}}], \"cna\": {\"title\": \"Umbraco\u0027s Delivery API allows for cached requests to be returned with an invalid API key\", \"source\": {\"advisory\": \"GHSA-75vq-qvhr-7ffr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"umbraco\", \"product\": \"Umbraco-CMS\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 13.0.0, \u003c 13.9.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 15.0.0, \u003c 15.4.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 16.0.0, \u003c 16.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a\", \"name\": \"https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api\", \"name\": \"https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There\u0027s an issue when these two things are used together, where caching doesn\u0027t vary by the header that contains the API key. As such, it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-30T13:41:07.799Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54425\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-30T14:06:12.115Z\", \"dateReserved\": \"2025-07-21T23:18:10.282Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-30T13:41:07.799Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.