DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7JXJ-RPX7-PH2C: Cache Me If You Can: Umbraco Forms & The ImageSharp Betrayal

#security #cve #cybersecurity #ghsa

Cache Me If You Can: Umbraco Forms & The ImageSharp Betrayal

Vulnerability ID: GHSA-7JXJ-RPX7-PH2C
CVSS Score: 3.1
Published: 2026-01-22

A Web Cache Deception vulnerability exists in Umbraco Forms where sensitive uploaded files are inadvertently cached by CDNs due to aggressive caching headers set by the ImageSharp library, potentially allowing unauthenticated access to private data.

TL;DR

Umbraco Forms protects your sensitive uploads, but the ImageSharp library—optimized for performance—tells CDNs to cache them publicly. If an admin views a protected file, it gets stored on the CDN edge, allowing anyone with the direct link to bypass authentication and download the file.

Technical Details

  • Attack Vector: Network (CDN Cache Deception)
  • CVSS Score: 3.1 (Low)
  • Complexity: High (Requires GUID knowledge)
  • Privileges: None (Unauthenticated)
  • Impact: Confidentiality (Information Disclosure)
  • Vulnerability Type: Web Cache Deception / Insecure Storage

Affected Systems

  • Umbraco CMS (using Umbraco Forms)
  • ImageSharp Middleware
  • Content Delivery Networks (CDN)
  • Umbraco Forms: < 13.9.0 (Fixed in: 13.9.0)
  • Umbraco Forms: < 16.4.0 (Fixed in: 16.4.0)
  • Umbraco Forms: < 17.1.0 (Fixed in: 17.1.0)

Exploit Details

  • Manual Analysis: Exploitation requires knowledge of specific GUIDs and CDN presence.

Mitigation Strategies

  • Upgrade Umbraco Forms to a patched version immediately.
  • Implement custom middleware to force no-store headers on sensitive paths.
  • Configure CDN rules to explicitly bypass caching for /media/forms/upload/*.

Remediation Steps:

  1. Identify the version of Umbraco Forms currently running.
  2. If running Umbraco 13, upgrade to version 13.9.0 or later.
  3. If running Umbraco 16, upgrade to version 16.4.0 or later.
  4. If running Umbraco 17, upgrade to version 17.1.0 or later.
  5. If upgrading is not possible, inject the provided C# middleware into Startup.cs after app.UseStaticFiles().

References

Read the full report for GHSA-7JXJ-RPX7-PH2C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)