CVE-2025-31674
Published: 31 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-31674 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal core that enables object injection. It affects Drupal core versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The vulnerability is associated with CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), carrying a CVSS v3.1 base score of 7.5 (High) with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows arbitrary object injection, potentially leading to high-impact confidentiality, integrity, and availability violations on the affected Drupal instance.
The official Drupal security advisory SA-CORE-2025-003, available at https://www.drupal.org/sa-core-2025-003, details mitigation through upgrading to the patched versions: Drupal core 10.3.13, 10.4.3, 11.0.12, or 11.1.3, depending on the supported branch.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables network-based object injection in public-facing Drupal web app with low-priv auth, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to achieve high C/I/A impact.