CVE-2025-48953 - Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

1. Vulnerability Properties

Title: Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
CVE ID: CVE-2025-48953
CVSSv3.1 Base Score: 5.5 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L)
Vendor: Umbraco
Products: Umbraco CMS
Advisory Release Date: 3 June 2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-48953
Credits: Discovery by João Mendes joao.pedro.mendes@devoteam.com

2. Vulnerability Summary

Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it’s possible to upload a file that doesn’t adhere with the configured allowable file extensions via a manipulated API request.

4. Vulnerable Versions

  • >= 14.0.0, <= 15.4.1

5. Solution

  • Update to version 15.4.2 or 16.0.0

6. Vulnerability Timeline

  • 24/Apr/25 -  Bug reported to Umbraco
  • 28/Apr/25 -  Bug verified by Umbraco
  • 03/Jun/25 - Bug fixed by vendor
  • 03/Jun/25 - Advisory released

7. References

  • https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fr6r-p8hv-x3c4
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48953
  • https://www.cve.org/CVERecord?id=CVE-2025-48953


© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.