Trust Center

Update - Malicious versions of NPM packages were available on registry.npmjs.org for approximately 1 hour before deprecation and ~6 hours before unpublish completed. No production systems, identity infrastructure, or customer data were accessed by the attacker based on information currently available to UiPath. We have provided a list of all affected packages that could have potentially been downloaded and executed by customers.

We have released a Full Public Postmortem of this event which can be found here

UiPath is aware of the NPM supply chain compromise affecting TanStack. We are continuing to investigate, but believe that the impact to UiPath has been successfully contained. Please see the attached Post Mortem Report.

October 27, 2025
Trust Center - Public
Update October 27, 2025

UiPath has deployed remediation patches to all affected services in the UiPath Automation Cloud and UiPath Automation Cloud Public Sector environments. Investigation is ongoing for all other services.

October 17, 2025
Trust Center - Public
Email
UiPath Security Advisory CVE-2025-55315

Publish Date October 17, 2025

Version 1.0

Summary: UiPath is aware that Microsoft has released a security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. The vulnerability is due to inconsistent interpretation of http requests 'http request/response smuggling' in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

UiPath is currently investigating the impact to our products and systems. We will provide updates as soon as they are available.

CVE-2025-55315 Trust Center updateUpdate November 6, 2025
Patches are now available for all supported .msi packages, and for all affected services deployed through Automation Suite. Download links and release notes are provided below.
Automation Suite

• v2024.10.6 - Release notes (Linux & AKS/EKS) • download here
• v2023.10.12 - Release notes (Linux & AKS/EKS) • download here
• v2023.4.13 - Release notes (Linux) • download here
• v2022.10.15 - Release notes (Linux) • download here

Mitigation measures have been applied for all versions of Document Understanding:

• v2024.10.6 - Release notes
• v2023.10.12 - Release notes
• v2023.4.13 - Release notes
• v2022.10.15 - Release notes

.MSI Packages
Action Center

• v2024.10.6 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.13 - Release notes • download here
• v2022.10.13 - Release notes • download here

Insights

• v2024.10.7 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.13 - Release notes • download here
• v2022.10.14 - Release notes • download here

Orchestrator (includes Identity)

• v2024.10.6 - Release notes • download here
• v2023.10.15 - Release notes • download here
• v2023.4.16 - Release notes • download here
• v2022.10.18 - Release notes • download here

Test Manager

• v2024.10.6 - Release notes • download here
• v2023.10.12 - Release notes • download here
• v2023.4.11 - Release notes • download here
• v2022.10.12 - Release notes • download here

UiPath has completed our initial investigation of the recent React.js/Next.js vulnerabilities: CVE-2025-55182 and CVE-2025-66478. At this time, no evidence has been found to indicate that UiPath products or UiPath Automation Cloud (including AC Dedicated and AC Public Sector) are affected by this vulnerability. Thank you.

Note: In addition, Cloudflare for AC and Akamai for ACPS already have protections in place.

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
This advisory is being retained for historical record
UiPath Security Advisory Spring4Shell (CVE-2022-22965)
Publish Date: April 6, 2022

Version: 1.1

The UiPath Security and Product Engineering teams have been performing an exposure analysis of the Spring4Shell vulnerability, categorized as CVE-2022-22965 on the UiPath products.,This post details our progress to date. Note that our assessment of products and services has been completed for the listed CVEs. We plan to update this page as material information becomes available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

1. The following constitute our findings to date:

The following products contain the vulnerable Spring Framework libraries but have no known risk because exploitation is already mitigated in these products.

UiPath will update these products in a future release.

AI Center
Automation Suite
Cloud Elements
Insights
Test Manager
2. Services in UiPath’s Automation Cloud that contained the vulnerable Spring Framework libraries have already been updated to fully remediate the vulnerability. Please note there was no known risk due to mitigation associated with these services.

3. The following products, both cloud service and the on-premises versions, do not contain the vulnerable Spring Framework libraries and have no known risk at this time:

Studio (all types), Assistant, Robot (all types including AI Robots, Cloud Robots, etc.). All extensions packaged with Studio (browser extensions, etc.)

All UiPath Activity Packages published to the UiPath Official Feed

Orchestrator
Automation Hub (including Task Capture)
Data Service
Task Mining
Process Mining
Automation Ops
Action Center
Apps
High Availability Add-on (HAA)
This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
This advisory is being retained for historical record

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
All links have been removed as the affected versions are no longer in support. This advisory is being retained for historical record
UiPath Security Advisory: Libwebp Critical Vulnerability
CVE-2023-5129 & CVE-2023-4863
Publish Date: October 20, 2023
Version: 1.4

The UiPath Security and Product Engineering teams have completed initial analysis of the vulnerability in the Libwebp library, categorized as CVE-2023-4863, on UiPath products. Note that our assessment is complete, but additional updates will be released to address any products currently listed as mitigated. We will update this page as relevant information is available. Our aim is to enable our customers to quickly mitigate risks to their security posture.

This vulnerability relies on the processing of a specially crafted WebP image. The affected Libwebp library itself is used in most modern browsers, Linux distributions, and a large number of OSS libraries that process web content. For reliable exploitation to occur, an attacker would need to cause a malicious image to be processed by a vulnerable application, as well as manipulate the memory to ensure reliable exploitation. Further, modern browsers and Chromium based applications, such as Electron, run the library in a restricted environment, so an additional vulnerability that escapes the restricted sandbox would be required to successfully exploit this issue. It is possible that simply processing an image by an affected application could achieve less reliable exploitation.

The following constitute our findings to date:

1. Products that contain the vulnerable library but have no known risk because exploitation is already mitigated in these products:

Robot* (Windows) (All Versions)
Studio* (All Versions)
Studio Web (All Versions)
*Assistant is included as part of a common installer for Robot and Studio. Customers leveraging Assistant should update as noted further below.

2. The following products, both cloud service and the on-premises versions, do not contain the vulnerable library and have no known risk:

Activities* (21.10 & Higher)
Orchestrator (All Versions)
Automation Ops (All Versions)
Data Service (All Versions)
Insights (All Versions)
Process Mining (All Versions)
Test Manager (All Versions)
*UiPath.UIAutomation.Activities prior to 21.10 contain the vulnerable library, but are out of support. Please upgrade to a supported version if out of support Activities are being used.

3. An Update is available for the following products, please see details further below on this page in the Available Updates Section:

Assistant (2022.10.0-22.10.10 & 2023.4.0– 2023.4.4)*
Robot (Linux)
*Older versions of Assistant either do not contain the vulnerable library or the risk is already mitigated.

Automation Suite (21.10 - 22.10.7):

Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).

4. Cloud Products that have been remediated:

Action Center (Cloud)
AI Center (Cloud)
Automation Hub (Cloud)
Automation Ops (Cloud)
Document Understanding (Cloud)
Task Mining (Cloud)
Communications Mining (Cloud)
Integration Service (Cloud)
5. Automation Suite Products with Partial Mitigation in place:

Automation Suite (23.4.2):

Action Center
AI Center
Apps
Automation Hub
Automation Ops
Document Understanding
Task Mining
Based on mitigation already in place, the severity of this vulnerability in Automation Suite products is reduced to CVSS: 2.7 (Low) with the exception of AI Center projects running on Python 3.7 which is categorized with a severity of CVSS: 5.6 (Medium). Customers may further reduce their risk to low by moving projects to Python 3.8 within AI Center. Doing so will reduce the vulnerability score to CVSS: 2.7 (Low).

6. Cloud Products with mitigation in place:

Apps
Based on mitigation put in place, the severity of the vulnerability for Cloud Apps is reduced to a CVSS of 2.7 (Low).

This posting was originally posted to https://www.uipath.com/legal/trust-and-security/security-advisories and migrated to https://trust.uipath.com on November 21, 2025
All links have been removed as the affected versions are no longer in support. This advisory is being retained for historical record