CVE-2025-54425 Overview
CVE-2025-54425 is an information disclosure vulnerability in the Umbraco CMS content delivery API. When administrators restrict the delivery API using an API key header and simultaneously enable output caching, the cache does not vary by the API key header. An unauthenticated attacker can retrieve cached responses for any path and query previously requested by a valid API key holder. The flaw affects Umbraco versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1, and 16.0.0 through 16.1.0. It is fixed in versions 13.9.3, 15.4.4, and 16.1.1.
Critical Impact
Unauthenticated attackers can bypass API key authorization and read cached content intended only for authorized delivery API consumers.
Affected Products
- Umbraco CMS 13.0.0 through 13.9.2
- Umbraco CMS 15.0.0 through 15.4.1
- Umbraco CMS 16.0.0 through 16.1.0
Discovery Timeline
- 2025-07-30 - CVE-2025-54425 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-54425
Vulnerability Analysis
The vulnerability lives in the DeliveryApiOutputCachePolicy class within src/Umbraco.Cms.Api.Delivery/Caching/. Umbraco allows operators to lock the content delivery API behind an API key supplied via a request header. Operators can also enable output caching to improve response performance. When both features are active, the cache policy fails to include the API key header in the cache variance rules.
A valid API key holder issues a request for a given path and query, and the response is stored in the output cache. A subsequent unauthenticated request for the same path and query returns the cached response, bypassing the API key check entirely. This maps to [CWE-200]: Exposure of Sensitive Information to an Unauthorized Actor.
Root Cause
The cache policy enabled output caching based solely on whether the request was a preview request. It did not consult the delivery API access service before caching. As a result, responses generated for private, key-authorized clients were stored in a shared cache and served to any subsequent caller matching the cache key.
Attack Vector
An attacker sends unauthenticated HTTP requests to delivery API endpoints on a target Umbraco site. If a legitimate client with a valid API key recently requested the same path and query, the attacker receives the cached response containing the protected content. No authentication, user interaction, or privileges are required.
// Security patch in DeliveryApiOutputCachePolicy.cs
.RequestServices
.GetRequiredService<IRequestPreviewService>();
- context.EnableOutputCaching = requestPreviewService.IsPreview() is false;
+ IApiAccessService apiAccessService = context
+ .HttpContext
+ .RequestServices
+ .GetRequiredService<IApiAccessService>();
+
+ context.EnableOutputCaching = requestPreviewService.IsPreview() is false && apiAccessService.HasPublicAccess();
context.ResponseExpirationTimeSpan = _duration;
return ValueTask.CompletedTask;
// Source: https://github.com/umbraco/Umbraco-CMS/commit/7e82c258eebaa595eadc9b000461e27d02bc030e
The patch injects IApiAccessService and disables output caching whenever the delivery API is not publicly accessible, ensuring key-protected responses are never cached.
Detection Methods for CVE-2025-54425
Indicators of Compromise
- Successful HTTP 200 responses to /umbraco/delivery/api/ endpoints from clients that did not present the configured Api-Key header.
- Access log entries showing identical delivery API URLs served to both key-bearing and non-key-bearing clients within the output cache window.
- Unexpected external clients requesting delivery API paths that mirror internal or partner integration paths.
Detection Strategies
- Inspect web server and reverse proxy logs for delivery API requests lacking the API key header that returned cached content responses.
- Compare request headers against response status codes to identify authorization bypass patterns on protected delivery endpoints.
- Enable verbose logging on the delivery API pipeline and alert when HasPublicAccess() returns false but a response is served from cache.
Monitoring Recommendations
- Monitor Umbraco version strings across your estate to identify hosts still running vulnerable 13.x, 15.x, or 16.x builds.
- Track anomalies in delivery API response ratios between authenticated and unauthenticated clients over rolling time windows.
- Alert on repeated unauthenticated hits against delivery API URLs that were configured to require an API key.
How to Mitigate CVE-2025-54425
Immediate Actions Required
- Upgrade Umbraco CMS to 13.9.3, 15.4.4, or 16.1.1 depending on your major version branch.
- Rotate any delivery API keys that may have been exposed while the vulnerable configuration was in use.
- Audit output cache contents and clear the cache after upgrading to remove any responses generated before the patch.
Patch Information
Umbraco released fixes in versions 13.9.3, 15.4.4, and 16.1.1. Review the GitHub Security Advisory GHSA-75vq-qvhr-7ffr and the corresponding patch commit for full details.
Workarounds
- Disable delivery API output caching until the patched version is deployed, accepting the performance trade-off.
- Restrict access to the delivery API at the network or reverse proxy layer by allow-listing client IP addresses that hold valid API keys.
- Terminate API key validation at an upstream gateway that also enforces cache variance on the key header, preventing shared cache reuse.
# Example: disable delivery API output caching in appsettings.json
{
"Umbraco": {
"CMS": {
"DeliveryApi": {
"Enabled": true,
"PublicAccess": false,
"OutputCache": {
"Enabled": false
}
}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

