CVE-2025-54425 is a medium-severity vulnerability affecting Umbraco CMS versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1, and 16.0.0 through 16.1.0. Umbraco is a popular ASP.NET-based content management system widely used for building websites and web applications. The vulnerability arises from a misconfiguration in the content delivery API's caching mechanism when combined with API key-based authorization. Specifically, the content delivery API can be configured to restrict access by requiring a valid API key in the request header. Additionally, output caching can be enabled to improve performance by caching API responses for a period of time. However, the caching implementation does not vary the cached content based on the API key header. This means that if a valid API key holder requests content, the response is cached without associating it uniquely with that key. Subsequently, an unauthorized user without a valid API key can retrieve the cached response for the same path and query, effectively bypassing the API key restriction and exposing potentially sensitive information. This vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The flaw does not require authentication or user interaction to exploit and can be triggered remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the limited impact on confidentiality (partial information disclosure), no impact on integrity or availability, and ease of exploitation without privileges. The issue was fixed in Umbraco versions 13.9.3, 15.4.4, and 16.1.1 by ensuring that the caching mechanism varies responses based on the API key header, preventing unauthorized reuse of cached content. No known exploits are reported in the wild as of the publication date (July 30, 2025).

For European organizations using affected versions of Umbraco CMS, this vulnerability poses a risk of unauthorized disclosure of sensitive content delivered via the content delivery API. This could include proprietary business information, customer data, or other confidential content intended only for authorized API consumers. The exposure could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations if personal data is leaked), and potential competitive disadvantage. Since the vulnerability allows bypassing API key restrictions without authentication, attackers can freely access cached API responses if caching is enabled and misconfigured. This risk is particularly relevant for organizations that rely on Umbraco CMS for public-facing websites or internal portals that use the content delivery API with API key restrictions and output caching enabled. The impact is limited to confidentiality; integrity and availability are not affected. However, the ease of exploitation and potential data exposure make it a significant concern for organizations handling sensitive or regulated data.

1. Upgrade Umbraco CMS to the fixed versions: 13.9.3, 15.4.4, or 16.1.1, depending on the version in use. This is the most effective mitigation as it addresses the root cause in the caching mechanism. 2. If immediate upgrade is not possible, disable output caching on the content delivery API to prevent cached responses from being served without proper authorization. 3. Review and audit API key usage and access logs to detect any unusual or unauthorized access patterns that might indicate exploitation attempts. 4. Implement additional access controls such as IP whitelisting or network segmentation to restrict access to the content delivery API. 5. Consider adding custom cache key variation logic (if supported) to ensure cached responses are uniquely associated with API keys or other authorization tokens. 6. Conduct a thorough security review of API configurations and ensure that sensitive content is not inadvertently exposed through other caching or proxy layers. 7. Monitor Umbraco security advisories and CVE databases for any updates or emerging exploits related to this vulnerability.