CVE-2025-48953: Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

June 4, 2025

Via a manipulated API request it’s possible to upload a file that doesn’t adhere with the configured allowable file extensions.

References

github.com/advisories/GHSA-fr6r-p8hv-x3c4
github.com/umbraco/Umbraco-CMS
github.com/umbraco/Umbraco-CMS/commit/d920e93d1ee29dc3301697e444f53e8cd5db3cf9
github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fr6r-p8hv-x3c4
nvd.nist.gov/vuln/detail/CVE-2025-48953

Code Behaviors & Features

Detect and mitigate CVE-2025-48953 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →