CVE-2025-11842: 
C# vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-11842) has been identified in Shazwazza Smidge versions up to 4.5.1. The vulnerability affects the Bundle Handler component, where manipulation of the Version argument can lead to path traversal attacks. The issue was disclosed in September 2025 and affects the core functionality of the Smidge library, which is a lightweight solution for CSS and JavaScript file management in Microsoft .NET applications (NVD, GitHub Release).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v4.0 Base Score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The issue specifically involves the Bundle Handler component's handling of the Version parameter, which can be manipulated to achieve path traversal. Remote exploitation is possible with low attack complexity (NVD, VulDB).

The vulnerability can potentially be exploited to enumerate usernames on the web server and deplete available hard disk space, affecting system availability. The impact is particularly concerning as Smidge has over 10M downloads on NuGet and is integrated into several versions of the Umbraco CMS, including versions 10, 11, 12, and 13 (GitHub Vuln).

The vulnerability has been patched in version 4.6.0. Organizations are strongly recommended to upgrade to this version. Additional mitigations include: ensuring correct permissions are assigned to web application user accounts, avoiding the use of TimestampCacheBuster in production environments, and disabling Developer Exception Page or detailed exceptions in production environments (GitHub Release).