CVE-2025-32017

Description

### Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. ### Patches The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. ### Workarounds Umbraco supports the configuration of [allowed](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#allowed-upload-file-extensions) and [disallowed file extensions](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#disallowed-upload-file-extensions). Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.

How to fix CVE-2025-32017

To remediate CVE-2025-32017, upgrade the affected package to a fixed version below.

• —upgrade to 14.3.4 or later

Is CVE-2025-32017 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 14.0.0--preview004, < 14.3.4

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-32017
• PATCHgithub.com/umbraco/Umbraco-CMS
• WEBgithub.com/umbraco/Umbraco-CMS/commit/06a2a500b358ce15b1e228391eb60bd517c6e833
• WEBgithub.com/umbraco/Umbraco-CMS/commit/d3c1443b14b1076faf13d1bcecc42860fdf5fad8