What is CVE-2025-32017?

CVE-2025-32017 is a high-severity vulnerability in Umbraco Umbraco-cms, classified under Relative Path Traversal. CVSS score: 8.8/10. Published 2025-04-08.

How severe is CVE-2025-32017?

High severity. CVSS v3 base score is 8.8 out of 10.

Path Traversal in Umbraco Umbraco-cms

CVE-2025-32017

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location…

EPSS: 0.004 (62.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Umbraco Umbraco-cms — versions >= 14.0.0--preview004, < 14.3.4, >= 15.0.0-rc1, < 15.3.1

Weakness classification (CWE)

CWE-23 — Relative Path Traversal

References

https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-q62r-8ppj-xvf4 (x_refsource_CONFIRM)
https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833 (x_refsource_MISC)
https://github.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-32017?: CVE-2025-32017 is a high-severity vulnerability in Umbraco Umbraco-cms, classified under Relative Path Traversal. CVSS score: 8.8/10. Published 2025-04-08.
How severe is CVE-2025-32017?: High severity. CVSS v3 base score is 8.8 out of 10.