Platform
dotnet
Component
umbraco.cms
Fixed in
14.0.1
15.0.1
14.3.4
CVE-2025-32017 is a Path Traversal vulnerability discovered in Umbraco.Cms. This vulnerability allows authenticated users within the Umbraco backoffice to manipulate management API requests, enabling them to upload files to unintended locations on the server. The vulnerability affects versions of Umbraco.Cms up to and including 14.3.3, and a patch is available in version 14.3.4 and 15.3.1.
The primary impact of CVE-2025-32017 is the potential for unauthorized file uploads. An attacker exploiting this vulnerability could upload malicious files, such as web shells or scripts, to gain remote code execution on the server. This could lead to complete compromise of the Umbraco installation and potentially the underlying infrastructure. The ability to upload files outside of designated directories significantly expands the attack surface, allowing attackers to overwrite critical system files or inject malicious content into the website. Successful exploitation could result in data breaches, website defacement, and denial of service.
CVE-2025-32017 was publicly disclosed on April 9, 2025. Currently, there are no known public proof-of-concept exploits available, but the path traversal nature of the vulnerability makes it likely that one will emerge. The vulnerability's impact is considered high due to the potential for remote code execution. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.39% (60% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-32017 is to immediately upgrade to Umbraco.Cms version 14.3.4 or 15.3.1. If upgrading is not immediately feasible, implement a temporary workaround by configuring allowed and disallowed file extensions within the Umbraco content settings. This restricts the types of files that can be uploaded, reducing the potential impact of a successful exploit. Regularly review and audit file upload permissions and configurations to ensure they adhere to the principle of least privilege. After upgrade, confirm the fix by attempting a file upload through the management API and verifying that the file is saved to the expected directory.
Update Umbraco CMS to version 14.3.4 or higher, or to version 15.3.1 or higher. This will correct the path traversal vulnerability in the management API. Ensure you perform a backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32017 is a Path Traversal vulnerability affecting Umbraco.Cms versions up to 14.3.3, allowing authenticated users to upload files to unintended locations.
Yes, if you are running Umbraco.Cms versions 14.3.3 or earlier, you are affected by this vulnerability.
Upgrade to Umbraco.Cms version 14.3.4 or 15.3.1. As a temporary workaround, configure allowed and disallowed file extensions.
While no public exploits are currently known, the vulnerability's nature makes exploitation likely, so immediate action is recommended.
Refer to the official Umbraco security advisory for detailed information and updates: [https://our.umbraco.com/](https://our.umbraco.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.