5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54425

GHSA ID

GHSA-75vq-qvhr-7ffr

EPSS Score

CWE

CWE-200

Published

7/29/2025

Updated

7/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54425

CVE-2025-54425: Umbraco Delivery API allows for cached requests to be returned with an invalid API key

Impact

Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request.

It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.

There's an issue when these two things are used together though in that the caching doesn't vary by the header that contains the API key. As such it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.

Patches

Patches will be available in 13.9.3, 15.4.4 and 16.1.1.

Workarounds

Workaround is to remove or reduce the time period of the output caching or to provide other restrictions to access the delivery API such as by IP.

References

Content delivery API documentation: https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54425

CVE-2025-54425:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54425

GHSA ID

GHSA-75vq-qvhr-7ffr

EPSS Score

CWE

CWE-200

Published

7/29/2025

Updated

7/29/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Umbraco.Cms.Api.Delivery	nuget	>= 13.0.0, <= 13.9.2	13.9.3
Umbraco.Cms.Api.Delivery	nuget	>= 15.0.0, <= 15.4.3	15.4.4
Umbraco.Cms.Api.Delivery	nuget	>= 16.0.0, <= 16.1.0	16.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability allows unauthorized access to cached content in Umbraco's Delivery API. The root cause is the improper caching policy that does not account for the API key used in requests. When a request with a valid API key is made to a protected endpoint, the response is cached. Subsequent requests to the same endpoint, even without a valid API key, would receive the cached response, leading to an information disclosure vulnerability. The analysis of the provided patches shows that the fix is in the CacheRequestAsync method of the DeliveryApiOutputCachePolicy class. The patch introduces a check to verify if the API has public access before enabling output caching. This ensures that only responses for public content are cached, mitigating the risk of leaking sensitive information. Therefore, the CacheRequestAsync function is identified as the vulnerable function because its logic was insufficient to prevent the caching of protected content.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54425: Umbraco Delivery API allows for cached requests to be returned with an invalid API key

Impact

Patches

Workarounds

References

CVE-2025-54425:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.3

5.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-54425: Umbraco Delivery API allows for cached requests to be returned with an invalid API key

Impact

Patches

Workarounds

References

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI