CVE-2025-54425: Umbraco Delivery API allows for cached requests to be returned with an invalid API key
(updated )
Umbraco’s content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request.
It’s also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance.
There’s an issue when these two things are used together though in that the caching doesn’t vary by the header that contains the API key. As such it’s possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key.
References
- docs.umbraco.com/umbraco-cms/reference/content-delivery-api
- github.com/advisories/GHSA-75vq-qvhr-7ffr
- github.com/umbraco/Umbraco-CMS
- github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e
- github.com/umbraco/Umbraco-CMS/commit/9f37db18d11c8ba4e3ecdeb35291af30ebee7cd0
- github.com/umbraco/Umbraco-CMS/commit/da43086017e1e318f6b5373391d78421efebce3a
- github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-75vq-qvhr-7ffr
- nvd.nist.gov/vuln/detail/CVE-2025-54425
Code Behaviors & Features
Detect and mitigate CVE-2025-54425 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →