Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

GHSA-q62r-8ppj-xvf4 · CVE-2025-32017

Published Apr 9, 2025 · Modified Apr 9, 2025

Description

Impact

Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location.

Patches

The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1.

Workarounds

Umbraco supports the configuration of allowed and disallowed file extensions. Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.

References

WEB https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-q62r-8ppj-xvf4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-32017
WEB https://github.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833
WEB https://github.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8
PACKAGE https://github.com/umbraco/Umbraco-CMS

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes