CVE-2025-54425: Umbraco CMS API Key Bypass via Caching Vulnerability

Umbraco is a popular ASP.NET content management system (CMS). A vulnerability has been identified in Umbraco's content delivery API when using API key authentication in conjunction with output caching. This flaw can allow unauthorized users to access content that should be protected by an API key.

🔍 TL;DR Summary

In Umbraco CMS, enabling both API key authentication and output caching on the Content Delivery API can lead to an API key bypass. If a request is cached with a valid API key, subsequent requests without a key can retrieve the cached response, exposing protected content. Update to versions 13.9.3, 15.4.4, or 16.1.1 to fix this.

🚨 Vulnerability Details

• CVE ID: CVE-2025-54425
• Description: The Umbraco Content Delivery API, when configured to require an API key and use output caching, does not properly vary the cache based on the presence and validity of the API key. This allows users without a valid API key to potentially retrieve cached responses intended only for authenticated users.
• CVSS Score and Vector: CVSS 3.1 score of 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

  Explanation: This score indicates a vulnerability that is accessible over the network with low attack complexity, no privileges required, and no user interaction. The impact is limited to a low degree of confidentiality.

• Exploit Requirements: The Umbraco instance must have the Content Delivery API enabled, API key authentication activated, and output caching configured. An attacker needs to know the URL of a resource that has been recently cached with a valid API key.
• Affected Vendor, Product, Version:
  • Vendor: Umbraco
  • Product: Umbraco CMS
  • Versions: 13.0.0 through 13.9.2, 15.0.0 through 15.4.1, and 16.0.0 through 16.1.0
• CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

  Explanation: This CWE refers to scenarios where sensitive information is exposed to unintended recipients, violating confidentiality. In this case, the API key is intended to restrict access, but the caching mechanism circumvents this protection.

📅 Timeline of Events

• 2025-07-30: CVE Published
• 2025-07-30: GitHub Security Advisory Released
• Fixed Versions: Patches released in versions 13.9.3, 15.4.4 and 16.1.1

🧠 Exploitability & Real-World Risk

This vulnerability is relatively easy to exploit if the conditions (API key authentication and caching enabled) are met. An attacker doesn't need any special privileges or technical skills. The real-world risk depends on the sensitivity of the content exposed. If the API is used to deliver confidential data, such as user profiles or financial information, the risk is high. The impact is lessened if the exposed content is relatively benign.

🛠️ Recommendations

• Upgrade: Upgrade Umbraco CMS to versions 13.9.3, 15.4.4, or 16.1.1.
• Disable Caching: As a temporary workaround, disable output caching for the Content Delivery API if upgrading is not immediately possible.
• Review API Usage: Examine how the Content Delivery API is being used and whether it's exposing sensitive information.

🧪 Technical Insight

The vulnerability arises from the fact that the caching mechanism in Umbraco does not properly consider the API key present in the request header. When a request with a valid API key is processed, the response is cached. Subsequent requests for the same resource, even without an API key, will retrieve the cached response, effectively bypassing the authentication check. The fix likely involves ensuring that the cache key includes the API key header, thus creating separate cached responses for authenticated and unauthenticated requests.

🙌 Credit to Researcher(s)

This vulnerability was identified and reported via GitHub Security Advisory.

🔗 References

• GitHub Security Advisory
• Umbraco Content Delivery API Documentation
• Commit 7e82c258eebaa595eadc9b000461e27d02bc030e
• Commit 9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0
• Commit da43086017e1e318f6b5373391d78421efebce3a

🧵 Tags

Umbraco, CMS, API Key, Caching, Vulnerability, CVE-2025-54425, Security, GHSA-75vq-qvhr-7ffr

Summary: A caching vulnerability in Umbraco CMS's Content Delivery API allows unauthenticated users to bypass API key restrictions when output caching is enabled. Upgrade to versions 13.9.3, 15.4.4, or 16.1.1 to resolve this issue.

CVE ID: CVE-2025-54425

Risk Analysis: If exploited, this vulnerability could lead to unauthorized access to sensitive content managed by the Umbraco CMS, potentially compromising confidential data or intellectual property.

Recommendation: Upgrade to Umbraco CMS versions 13.9.3, 15.4.4, or 16.1.1 to mitigate this vulnerability. As a temporary workaround, disable output caching for the Content Delivery API.

Timeline

• 2025-07-30: CVE Published and GHSA released
• N/A: Patches released in versions 13.9.3, 15.4.4 and 16.1.1

References

• https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api
• https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e
• https://github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0
• https://github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a
• https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr