This article reports High vulnerability (CVE-2025-3600), for which there is a solution available.
This issue pertains to Telerik UI for ASP.NET AJAX (versions 2011.2.712 to 2025.1.218).
Sitecore uses some UI controls from Telerik, we encourage Sitecore customers and partners to review the information below and apply the recommended Solution. The issue impacts Content Management, Standalone and Dedicated Dispatch Server (if present).
The vulnerability might impact the following Sitecore products:
* The vulnerability impacts all Experience Platform topologies (XM, XP, XC).
** Managed Cloud customers who run the affected Experience Platform versions are affected.
This Security Bulletin might receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.
Important note: Prior to proceeding with the approach below and updating your web.config, ensure that the URL Rewrite module is installed to IIS. If it is not present, the application will not start.
To mitigate the vulnerability, use IIS URL Rewrite rules to deny malicious requests.
Apply the following rule to requests for the Telerik.Web.UI.WebResource.axd handler, blocking any request that contains the "prtype" parameter:
<rewrite>
<rules>
<rule name="Allow RadAsyncUpload and RadCloudUpload Post Requests" stopProcessing="true">
<match url="Telerik.Web.UI.WebResource.axd" />
<conditions logicalGrouping="MatchAll">
<add input="{UrlDecode:{QUERY_STRING}}" pattern="^type=(rau|rcu)$" ignoreCase="true" />
<add input="{REQUEST_METHOD}" pattern="^POST$" ignoreCase="true" />
</conditions>
<action type="None" />
</rule>
<rule name="Block all GET requests containing Content-Type" stopProcessing="true">
<match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_METHOD}" pattern="^GET$" ignoreCase="true" />
<add input="{HTTP_CONTENT_TYPE}" pattern=".+" ignoreCase="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
</rule>
<rule name="Block PRType and Encoded Attacks" stopProcessing="true">
<match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
<conditions logicalGrouping="MatchAny">
<add input="{UrlDecode:{QUERY_STRING}}" pattern="prtype=" ignoreCase="true" />
<add input="{UrlDecode:{HTTP_COOKIE}}" pattern="prtype=" ignoreCase="true" />
<add input="{REQUEST_METHOD}" pattern="^GET$" negate="true" ignoreCase="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
</rule>
</rules>
</rewrite>
For containerized environments, add an XDT transformation as described here:
https://doc.sitecore.com/xp/en/developers/latest/developer-tools/applying-configuration-transforms.html
Notice that in official Sitecore Docker images, the URL Rewrite module is generally not enabled by default in the IIS containers. Make sure to enable the module along with applying the XDT transformation below.
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.webServer>
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing">
<rule name="Allow RadAsyncUpload and RadCloudUpload Post Requests" stopProcessing="true" xdt:Transform="InsertIfMissing">
<match url="Telerik.Web.UI.WebResource.axd" />
<conditions logicalGrouping="MatchAll">
<add input="{UrlDecode:{QUERY_STRING}}" pattern="^type=(rau|rcu)$" ignoreCase="true" />
<add input="{REQUEST_METHOD}" pattern="^POST$" ignoreCase="true" />
</conditions>
<action type="None" />
</rule>
<rule name="Block all GET requests containing Content-Type" stopProcessing="true" xdt:Transform="InsertIfMissing">
<match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_METHOD}" pattern="^GET$" ignoreCase="true" />
<add input="{HTTP_CONTENT_TYPE}" pattern=".+" ignoreCase="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
</rule>
<rule name="Block PRType and Encoded Attacks" stopProcessing="true" xdt:Transform="InsertIfMissing">
<match url="Telerik.Web.UI.WebResource.axd" ignoreCase="true" />
<conditions logicalGrouping="MatchAny">
<add input="{UrlDecode:{QUERY_STRING}}" pattern="prtype=" ignoreCase="true" />
<add input="{UrlDecode:{HTTP_COOKIE}}" pattern="prtype=" ignoreCase="true" />
<add input="{REQUEST_METHOD}" pattern="^GET$" negate="true" ignoreCase="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Request blocked" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
The issue impacts only Content Management (CM), Standalone instances and Dedicated Dispatch Server (if available). Apply the above solution to the specified roles.
Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.