Cve-2025-54100?

DurdenTyler · December 16, 2025, 4:40pm

Hello Guys,

is Powershell Universal effected from this CVE-2025-54100?
I can see Invoke-Webrequest commands in the background.
Without parameter -UseBasicParsing it should run into issues.

regards,
Tyler

adam · December 16, 2025, 6:35pm

It looks like PSU update cmdlets do not use the -UseBasicParsing parameter. This will be fixed in the next version. That said, it won’t run these automatically. Can you verify if scripts you have written are doing this?

DurdenTyler · December 17, 2025, 12:14am

We patched right now. Powershell universal and our apps working fine after the patch.

We do not have a custom script using “Invoke-Webrequest” - but maybe someone else have it.

DurdenTyler · December 17, 2025, 1:45pm

Here are some places where invoke-webrequest is used inside Powershell Universal.
It looks like it is used for the update process and some example scripts.

Update: 
Path: C:\Program Files (x86)\Universal\Modules\Universal\Universal.psm1
    if ($LatestVersion) {
        $Version = (Invoke-WebRequest https://imsreleases.blob.core.windows.net/universal/production/v4-version.txt).Content
    }
    Remove-Item $Zip -Force -ErrorAction SilentlyContinue
    Invoke-WebRequest "https://imsreleases.blob.core.windows.net/universal/production/$version/Universal.$platform.$Version.zip" -OutFile $Zip
    Remove-Item $Zip -Force -ErrorAction SilentlyContinue
    Invoke-WebRequest "https://imsreleases.blob.core.windows.net/universal/production/$version/Universal.$platform.$Version.zip" -OutFile $Zip


Example: 
Path: C:\Program Files (x86)\Universal\Modules\Universal\UniversalDashboard.MaterialUI.psm1
    if ($Url) {
        $WebRequest = Invoke-WebRequest -Uri $Url
        $StringData = $WebRequest.Content
        $ContentType = $WebRequest.Headers["Content-Type"]
    }

Update: 
Path: C:\Program Files (x86)\Universal\Modules\Universal\Universal.psm1
    Remove-Item $Path -Force -Recurse
    Invoke-WebRequest "https://imsreleases.blob.core.windows.net/universal/production/$version/Universal.$platform.$Version.zip" -OutFile $Zip

function Start-UDDownload

If someone can get write access to the target URLs he could easly inject malware into all Powershell Universal instances because they poll for new updates?

imsreleases.blob.core.windows.net/universal/production/v4-version.txt

adam · December 17, 2025, 4:08pm

It’s possible but they would need to gain access to our Azure infrastructure. These cmdlets are also not run automatically and need to be done by a user.

Topic		Replies	Views
Security Update: PowerShell Universal CVE-2023-49213 Announcements	6	404	November 22, 2023
PowerShell Universal - 4.2.1 releases	0	194	November 16, 2023
PowerShell Universal - 4.1.10 releases	0	174	November 16, 2023
PowerShell Universal - 3.10.2 releases	0	158	November 16, 2023
Security Bulletin – PowerShell Universal Role-Based Access Controls PowerShell Universal	0	494	June 26, 2020

Cve-2025-54100?

Related topics