CVE-2025-54425

Name of the Vulnerable Software and Affected Versions Umbraco versions 13.0.0 through 13.9.2 Umbraco versions 15.0.0 through 15.4.1 Umbraco versions 16.0.0 through 16.1.0

Description Umbraco’s content delivery API can be restricted to require an API key in a header for authorization. Output caching can also be configured to improve performance. A flaw exists when both features are enabled concurrently, as caching does not differentiate requests based on the API key header. This allows an unauthorized user to retrieve cached responses for a specific path and query if a request with a valid key was recently made.

Recommendations Umbraco versions 13.0.0 through 13.9.2: Upgrade to version 13.9.3 or later. Umbraco versions 15.0.0 through 15.4.1: Upgrade to version 15.4.4 or later. Umbraco versions 16.0.0 through 16.1.0: Upgrade to version 16.1.1 or later. As a workaround, remove or reduce the output caching time period. As a workaround, implement additional restrictions to access the delivery API, such as by IP address.