CVE-2025-54425
📋 TL;DR
This vulnerability allows unauthorized users to access cached content from Umbraco's Content Delivery API even when API key authentication is required. Attackers can retrieve sensitive cached responses if a legitimate user with a valid API key recently accessed the same endpoint. This affects Umbraco CMS installations using both API key authentication and output caching.
💻 Affected Systems
- Umbraco CMS
📦 What is this software?
Umbraco Cms by Umbraco
Umbraco Cms by Umbraco
Umbraco Cms by Umbraco
⚠️ Risk & Real-World Impact
Worst Case
Sensitive content intended only for authorized users is exposed to the public, potentially leaking confidential data, user information, or proprietary content.
Likely Case
Unauthorized access to cached API responses containing non-critical but potentially sensitive content that should be protected.
If Mitigated
Limited exposure of cached content with minimal sensitive data, or no impact if caching is disabled or API keys aren't required.
🎯 Exploit Status
Exploitation requires knowledge of API endpoints and timing to hit recently cached responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.9.3, 15.4.4, 16.1.1
Vendor Advisory: https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr
Restart Required: Yes
Instructions:
1. Backup your Umbraco installation and database. 2. Update to the patched version via NuGet package manager or manual upgrade. 3. Restart the application pool or IIS. 4. Verify the fix by testing API access with and without valid API keys.
🔧 Temporary Workarounds
Disable output caching
allTemporarily disable output caching for the Content Delivery API to prevent cache poisoning attacks.
Modify Umbraco configuration to set output caching to false for Content Delivery API endpoints
Disable API key authentication
allRemove API key requirement if caching is essential and content sensitivity allows.
Update Content Delivery API configuration to remove API key authentication requirement
🧯 If You Can't Patch
- Disable output caching for Content Delivery API endpoints
- Implement additional authentication layer (IP whitelisting, WAF rules) for API endpoints
🔍 How to Verify
Check if Vulnerable:
Check if using affected Umbraco version AND both API key authentication and output caching are enabled for Content Delivery API.Check Version:
Check Umbraco version in admin dashboard or via /umbraco/api/version endpointVerify Fix Applied:
Test API endpoints with valid API key, then immediately test same endpoint without API key - should receive 401/403 instead of cached response.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 responses to same API endpoint from different IPs without API key headers
- API requests with missing/invalid API keys returning cached content
Network Indicators:
- Unauthorized HTTP GET requests to Content Delivery API endpoints returning 200 status
- Repeated requests to same API paths without authentication headers
SIEM Query:
source="umbraco" AND (uri_path CONTAINS "/umbraco/delivery/api" OR uri_path CONTAINS "/api/delivery") AND http_status=200 AND NOT (http_header CONTAINS "Api-Key" OR http_header CONTAINS "Authorization")🔗 References
- https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api
- https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e
- https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0
- https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr
