GHSA-75VQ-QVHR-7FFR

Vulnerability from github – Published: 2025-07-29 19:10 – Updated: 2025-07-30 15:42
VLAI?
Summary
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
Details

Impact

Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request.

It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.

There's an issue when these two things are used together though in that the caching doesn't vary by the header that contains the API key. As such it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.

Patches

Patches will be available in 13.9.3, 15.4.4 and 16.1.1.

Workarounds

Workaround is to remove or reduce the time period of the output caching or to provide other restrictions to access the delivery API such as by IP.

References

Content delivery API documentation: https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 13.9.2"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 15.4.3"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 16.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Umbraco.Cms.Api.Delivery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T19:10:39Z",
    "nvd_published_at": "2025-07-30T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUmbraco\u0027s [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted from public access such that an API key must be provided in a header to authorize the request.\n\nIt\u0027s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.\n\nThere\u0027s an issue when these two things are used together though in that the caching doesn\u0027t vary by the header that contains the API key.  As such it\u0027s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.\n\n### Patches\nPatches will be available in 13.9.3, 15.4.4 and 16.1.1.\n\n### Workarounds\nWorkaround is to remove or reduce the time period of the output caching or to provide other restrictions to access the delivery API such as by IP.\n\n### References\nContent delivery API documentation: https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api",
  "id": "GHSA-75vq-qvhr-7ffr",
  "modified": "2025-07-30T15:42:05Z",
  "published": "2025-07-29T19:10:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54425"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a"
    },
    {
      "type": "WEB",
      "url": "https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco-CMS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Umbraco Delivery API allows for cached requests to be returned with an invalid API key"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.