CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23041: Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms

5.8 CVSS

Description

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Classification

CVE ID: CVE-2025-23041

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.8

Affected Products

Vendor: umbraco

Product: Umbraco.Forms.Issues

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-12 (when was this score calculated)

References

https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-9v8m-qv22-f268

Timeline

2025-01-15 00:30:51 UTC
CVE

Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms