Trust Center

October 27, 2025
Trust Center - Public
Update October 27, 2025

UiPath has deployed remediation patches to all affected services in the UiPath Automation Cloud and UiPath Automation Cloud Public Sector environments. Investigation is ongoing for all other services.

October 17, 2025
Trust Center - Public
Email
UiPath Security Advisory CVE-2025-55315

Publish Date October 17, 2025

Version 1.0

Summary: UiPath is aware that Microsoft has released a security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. The vulnerability is due to inconsistent interpretation of http requests 'http request/response smuggling' in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

UiPath is currently investigating the impact to our products and systems. We will provide updates as soon as they are available.

CVE-2025-55315 Trust Center updateUpdate November 6, 2025
Patches are now available for all supported .msi packages, and for all affected services deployed through Automation Suite. Download links and release notes are provided below.
Automation Suite

• v2024.10.6 - Release notes (Linux & AKS/EKS) • download here
• v2023.10.12 - Release notes (Linux & AKS/EKS) • download here
• v2023.4.13 - Release notes (Linux) • download here
• v2022.10.15 - Release notes (Linux) • download here

Mitigation measures have been applied for all versions of Document Understanding:

• v2024.10.6 - Release notes
• v2023.10.12 - Release notes
• v2023.4.13 - Release notes
• v2022.10.15 - Release notes

.MSI Packages
Action Center

• v2024.10.6 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.13 - Release notes • download here
• v2022.10.13 - Release notes • download here

Insights

• v2024.10.7 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.13 - Release notes • download here
• v2022.10.14 - Release notes • download here

Orchestrator (includes Identity)

• v2024.10.6 - Release notes • download here
• v2023.10.15 - Release notes • download here
• v2023.4.16 - Release notes • download here
• v2022.10.18 - Release notes • download here

Test Manager

• v2024.10.6 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.11 - Release notes • download here
• v2022.10.12 - Release notes • download here

UiPath has completed our initial investigation of the recent React.js/Next.js vulnerabilities: CVE-2025-55182 and CVE-2025-66478. At this time, no evidence has been found to indicate that UiPath products or UiPath Automation Cloud (including AC Dedicated and AC Public Sector) are affected by this vulnerability. Thank you.

Note: In addition, Cloudflare for AC and Akamai for ACPS already have protections in place.

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
This advisory is being retained for historical record
UiPath Security Advisory Spring4Shell (CVE-2022-22965)
Publish Date: April 6, 2022

Version: 1.1

The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Spring4Shell vulnerability, categorized as CVE-2022-22965 on the UiPath products.,This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

1. The following constitute our findings to date:

The following products contain the vulnerable Spring Framework libraries but have no known risk because exploitation is already mitigated in these products.

UiPath will update these products in a future release.

AI Center
Automation Suite
Cloud Elements
Insights
Test Manager
2. Services in UiPath’s Automation Cloud that contained the vulnerable Spring Framework libraries have already been updated to fully remediate the vulnerability. Please note there was no known risk due to mitigation associated with these services.

3. The following products, both cloud service and the on-premises versions, do not contain the vulnerable Spring Framework libraries and have no known risk at this time:

Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)

All UiPath Activity Packages published to the UiPath Official Feed

Orchestrator
Automation Hub (including Task Capture)
Data Service
Task Mining
Process Mining
Automation Ops
Action Center
Apps
High Availability Add-on (HAA)
This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
This advisory is being retained for historical record

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
All links have been removed as the affected versions are no longer in support. This advisory is being retained for historical record
UiPath Security Advisory: Libwebp Critical Vulnerability
CVE-2023-5129 & CVE-2023-4863
Publish Date: October 20, 2023
Version: 1.4

The UiPath Security and Product Engineering teams have completed initial analysis of the vulnerability in the Libwebp library, categorized as CVE-2023-4863, on UiPath products. Note that our assessment is complete, but additional updates will be released to address any products currently listed as mitigated. We will update this page as relevant information is available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

This vulnerability relies on the processing of a specially crafted WebP image. The affected Libwebp library itself is used in most modern browsers, Linux distributions, and a large number of OSS libraries that process web content. For reliable exploitation to occur, an attacker would need to cause a malicious image to be processed by a vulnerable application, as well as manipulate the memory to ensure reliable exploitation. Further, modern browsers and Chromium based applications, such as Electron, run the library in a restricted environment, so an additional vulnerability that escapes the restricted sandbox would be required to successfully exploit this issue. It is possible that simply processing an image by an affected application could achieve less reliable exploitation.

The following constitute our findings to date:

1. Products that contain the vulnerable library but have no known risk because exploitation is already mitigated in these products:

Robot* (Windows) (All Versions)
Studio* (All Versions)
Studio Web (All Versions)
*Assistant is included as part of a common installer for Robot and Studio. Customers leveraging Assistant should update as noted further below.

2. The following products, both cloud service and the on-premises versions, do not contain the vulnerable library and have no known risk:

Activities* (21.10 & Higher)
Orchestrator (All Versions)
Automation Ops (All Versions)
Data Service (All Versions)
Insights (All Versions)
Process Mining (All Versions)
Test Manager (All Versions)
*UiPath.UIAutomation.Activities prior to 21.10 contain the vulnerable library, but are out of support. Please upgrade to a supported version if out of support Activities are being used.

3. An Update is available for the following products, please see details further below on this page in the Available Updates Section:

Assistant (2022.10.0-22.10.10 & 2023.4.0– 2023.4.4)*
Robot (Linux)
*Older versions of Assistant either do not contain the vulnerable library or the risk is already mitigated.

Automation Suite (21.10 - 22.10.7):

Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).

4. Cloud Products that have been remediated:

Action Center (Cloud)
AI Center (Cloud)
Automation Hub (Cloud)
Automation Ops (Cloud)
Document Understanding (Cloud)
Task Mining (Cloud)
Communications Mining (Cloud)
Integration Service (Cloud)
5. Automation Suite Products with Partial Mitigation in place:

Automation Suite (23.4.2):

Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).

6. Cloud Products with mitigation in place:

Apps
Based on mitigation put in place, the severity of the vulnerability for Cloud Apps is reduced to a CVSS of 2.7 (Low).

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
All links have been removed as the affected versions are no longer in support. This advisory is being retained for historical record

UiPath Security Advisory: CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105
Version: 1.3

The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Log4J vulnerability, categorized as CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 on the UiPath products. This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

The following constitute our findings to date:

1. The Insights product does contain the vulnerable version of Apache Log4J for which details, including mitigation steps, are provided below.

2. Automation Suite contains Insights and is therefore vulnerable. No other products within Automation Suite contain Apache Log4J.

3. UiPath Automation Cloud including all services and micro-services has no known risk due to mitigation and updates made by the UiPath team.

4. The following products, both cloud service and the on-premises versions, do not contain Apache Log4J-core and have no known risk at this time:

Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)
All UiPath Activity Packages published to the UiPath Official Feed
Orchestrator
Automation Hub (including Task Capture)
Data Service
Task Mining
Process Mining
Test Manager
Automation Ops
Action Center
Apps
AI Center (including Computer Vision & Document Understanding)
High Availability Add-on (HAA)
5. Customers who leverage Elastic Search should know that some versions are vulnerable and have mitigation steps available on Elastic's website. Customers should follow the latest news from Elastic and reach out directly to them should they have any issues.

Note that the impact assessment is still ongoing. We will post material updates to this site as soon as they become available. Our aim is to enable our customers to quickly react to any weaknesses that could impact on their security posture.

Update: December 21, 2021

UiPath evaluated the impact of CVE-2021-45105 and confirmed that the stated analysis remains correct.

Update: December 22, 2021

UiPath has posted hotfixes for Insights 2021.10 and Automation Suite 2021.10.

Convenience Updates have also been posted for AI Center 2020.10 and 2021.4

Update: December 23, 2021

UiPath has completed analysis of all products and services. Actions have been posted for all affected services.

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
All links have been removed as the affected versions are no longer in support. This advisory is being retained for historical record