CVE-2025-48953: Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads

5.5 CVSS

Description

Umbraco is an ASP.NET content management system (CMS). Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and 16.0.0. No known workarounds are available.

Classification

CVE ID: CVE-2025-48953

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Problem Types

CWE-434: Unrestricted Upload of File with Dangerous Type

Affected Products

Vendor: umbraco

Product: Umbraco-CMS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.41% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48953
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fr6r-p8hv-x3c4
https://github.com/umbraco/Umbraco-CMS/commit/d920e93d1ee29dc3301697e444f53e8cd5db3cf9

Timeline

2025-06-03 19:40:22 UTC
CVE

Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
2025-06-05 00:15:32 UTC
Github Advisory Database (Nuget)

[Umbraco.Cms] Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads