Information disclosure in Umbraco Umbraco-cms
CVE-2025-54425
Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the req…
Vulnerability class: Information Disclosure
EPSS: 0.003 (52.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Affected products
- Umbraco Umbraco-cms — versions >= 13.0.0, < 13.9.3, >= 15.0.0, < 15.4.4, >= 16.0.0, < 16.1.1
Weakness classification (CWE)
References
- https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr (x_refsource_CONFIRM)
- https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e (x_refsource_MISC)
- https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0 (x_refsource_MISC)
- https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a (x_refsource_MISC)
- https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-54425?
- CVE-2025-54425 is a medium-severity vulnerability in Umbraco Umbraco-cms, classified under Information Disclosure. CVSS score: 5.3/10. Published 2025-07-30.
- How severe is CVE-2025-54425?
- Medium severity. CVSS v3 base score is 5.3 out of 10.