CVE-2025-54425: 
C# vulnerability analysis and mitigation

CVE-2025-54425 affects Umbraco's content delivery API, discovered and disclosed on July 29, 2025. The vulnerability impacts Umbraco CMS versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.3, and 16.0.0 through 16.1.0. The issue allows unauthorized access to cached API responses when both API key restriction and output caching features are enabled (GitHub Advisory).

The vulnerability stems from an implementation flaw in the caching mechanism where the system doesn't vary the cache by the API key header. When output caching is enabled, responses for requests made with valid API keys are cached. Subsequent requests to the same endpoint can retrieve the cached response even without a valid API key. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating it can be exploited remotely without requiring privileges or user interaction (GitHub Advisory).

The vulnerability allows unauthorized users to access cached content that should be protected by API key authentication. This creates a potential information disclosure risk where sensitive content intended to be accessible only to authenticated API users could be exposed to unauthorized users through the cache (GitHub Advisory).

The issue has been patched in versions 13.9.3, 15.4.4, and 16.1.1. For users unable to update immediately, temporary workarounds include removing or reducing the output caching time period, or implementing additional access restrictions such as IP-based filtering for the delivery API. The fix involves modifying the CacheRequestAsync method to verify public access before enabling output caching (GitHub Advisory, Content API).