White paper

Unpack the security myths around open source

Free download →
Book a discovery call
Book a discovery call

Security Advisory, September 23, 2025: Security Patches are now available

We recommend you upgrade to the latest patch

Andy Butland
Written by Andy Butland

Summary: Moderate and low security vulnerabilities have been found and fixed in Smidge, an upstream dependency for Umbraco 13. Today, we have released patches for the affected versions and recommend upgrading to the latest patch. Projects hosted on Umbraco Cloud will receive the fix automatically.

Who’s affected?

Versions affected:

  • Umbraco 13.0.0 - 13.10.1

Unsupported versions can be subject to the vulnerability, but will not receive a patch. We recommend upgrading to a supported major version.

 

How to fix the vulnerability

A patch is available for the latest minor version of Umbraco 13. As we are looking at a patch upgrade, and the fix is straightforward, we expect the update to only require minimal effort per project.

Instructions on patch availability and how to upgrade can be found in the release notes:

The only change between Umbraco 13.10.0 and 13.10.1 is an update to the Smidge dependencies to the latest version. As such, if you prefer not to upgrade Umbraco from whatever 13 version you are on, you could just update the Smidge package reference.

To do so, you would need to add a direct dependency to your .csproj file, as follows:

<PackageReference Include="Smidge.InMemory" Version="4.6.0" />

<PackageReference Include="Smidge.Nuglify" Version="4.6.0" />

 

Automatic fix on Umbraco Cloud

All Umbraco Cloud sites running the latest minor version of a supported version are patched via the automated patch feature. The security patches will be rolled out to Umbraco Cloud today to ensure all sites have been fixed.

If a project is not running the latest minor version (13.10.x), the patch can be applied using the minor upgrade feature.

Screenshot form the Umbraco Cloud Portal showing the option to turn on Automatic Minor Upgrades

ℹ️ Note that Umbraco Cloud also supports automated minor upgrades. This can be enabled on a per-project level and ensures you're always ready to receive the latest patch.

What we know about the vulnerability

Smidge is a library used for runtime minification and bundling of JavaScript and CSS files that is used by default by Umbraco for this purpose.

The vulnerability allows the potential for enumerating usernames on the web server or to deplete available hard disk space and thus affect availability.

For further details on the vulnerability, please see the information released by the security researcher that discovered the issue here.

 

Any questions?

If you have any questions or comments about this advisory, make sure to get in touch with us directly on the Security Advisories. Alternatively, you can reach out to the dedicated security email address listed at https://umbraco.com/security. Here you can also find information on how we handle security-related issues.

For direct communication related to security in Umbraco products, please sign up for the dedicated security mailing list.