[GHSA-54mj-vcvj-q3v5] Umbraco CMS has an arbitrary file upload vulnerability #6633
Conversation
github-actions
bot
changed the base branch from
main
to
legacy-git/advisory-improvement-6633
There was a problem hiding this comment.
Pull request overview
This pull request updates the security advisory GHSA-54mj-vcvj-q3v5 for Umbraco CMS by downgrading the severity assessment. According to the PR description, the Umbraco security team has determined this CVE is a duplicate of an existing CVE-2023-49279 and the PDF-based attack vector is not valid in modern browsers.
Key changes:
- Removes CVSS v3 scoring entirely
- Downgrades CVSS v4 score to reflect no actual impact (all metrics set to None)
- Changes severity rating from "MODERATE" to "LOW"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
The CVSS v4 score has been downgraded to all "N" (None) values for impact metrics (VC, VI, VA, SC, SI, SA), which results in a score of 0.0. A CVSS score of 0.0 typically indicates no vulnerability exists. However, the advisory still describes an "arbitrary file upload vulnerability" that "allows attackers to execute arbitrary code." This is inconsistent - if the vulnerability allows arbitrary code execution as stated, the impact metrics should reflect this. If the vulnerability has been determined to be invalid or a duplicate (as mentioned in the PR description), the advisory should likely be withdrawn rather than kept with a contradictory zero-impact score.
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N" | |
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" |
| "CWE-79" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "severity": "LOW", |
There was a problem hiding this comment.
The severity has been downgraded from "MODERATE" to "LOW", but this conflicts with the CVSS v4 score which now calculates to 0.0 (all impact metrics set to None). A CVSS score of 0.0 would typically correspond to "NONE" severity, not "LOW". Either the CVSS metrics should be adjusted to reflect a low-severity issue, or the severity should be changed to "NONE" or the advisory should be withdrawn if it's been determined to be invalid or duplicate.
| "severity": "LOW", | |
| "severity": "NONE", |
|
Hi @legacy-git, I want to make sure I have this correct. Umbraco fixed CVE-2023-49279 by implementing the serverside-file-validation feature and documenting that administrators can block various file types. Umbraco leave the filter configuration to the administrator and does not block anything by default. This is why the researcher who found CVE-2025-67288 was able to upload a malicious PDF in a later, fixed version of Umbraco. Am I understanding correctly? |
Hi Jonathan, The documentation about serverside file validation is meant as a start to implement your own file validation mechanism. The patch for the previous CVE provided a hook to allow implementors to provide their own validation of the contents of uploaded files. Umbraco doesn't do anything with this out of the box, we just call the validators that are registered on upload, which by default will be an empty collection. We do that as we don't believe there's a sensible default to provide here, it all comes down to the depth of security the implementor wants and the types and sizes they expect to use and analyze. Regarding CVE-2025-67288, it's by definition not an actual vulnerability, hence why we're requesting a removal/merge of this advisory. The PDF file the researcher used to test with, only triggered an alert box to pop-up on screen, but as PDF's are sandboxed in modern web browsers, they have no access to actual context and sensitive information from the Umbraco environment, such as cookies, access tokens or other important content. Because of this, you cannot use this exploit to do anything harmful. So in conclusion, the researcher did not upload a malicious PDF file. 😄 I hope this answered your question! Best regards, |
Updates
Comments
Hi there!
I represent the security team at Umbraco HQ, and I have reviewed CVE-2025-67288 internally. I can conclude that this advisory describes a vulnerability that is already documented under CVE-2023-49279 and does not represent a new issue. The underlying root cause, exploitation conditions, and impact are identical to the earlier CVE. The only difference is the example file type referenced (PDF instead of SVG), but the issue is not file-type specific and has already been addressed as a class of behavior.
Additionally, the PDF-based example is technically inaccurate in modern browser environments. JavaScript execution in PDFs is sandboxed and does not allow access to cookies or meaningful browser context, meaning it does not meet the criteria for XSS in practice. This has been confirmed both through Chromium's security documentation and internal testing.
Because:
I believe this advisory should be removed, or atleast merged with the existing CVE/advisory to avoid confusion and unnecessary concern for our users. Thank you!
Kind regards,
Anders
Umbraco Security Team