Files or Directories Accessible to External Parties in umbraco.cms.web.backoffice | CVE-2025-66625

Q: How to fix?

Upgrade Umbraco.Cms.Web.BackOffice to version 13.12.1 or higher.

Introduced: 9 Dec 2025

NewCVE-2025-66625 (opens in a new tab) CWE-377 (opens in a new tab) CWE-552 (opens in a new tab)

How to fix?

Upgrade Umbraco.Cms.Web.BackOffice to version 13.12.1 or higher.

Overview

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties in the dictionary import process. An attacker can enumerate the existence of arbitrary files on the server's filesystem and, in certain configurations, may expose the NTLM hash of the Windows account running the application by making predictable requests to temporary file paths and analyzing error responses. This is only exploitable if the attacker has an authorized backoffice account with access to the "Translations" section.

Workaround

This vulnerability can be mitigated by restricting access to the "Translations" section to only trusted users.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Files or Directories Accessible to External Parties Affecting umbraco.cms.web.backoffice package, versions [10.0.0,13.12.1)

Severity

Do your applications use this vulnerable package?

Snyk Learn