Cyber Posture

CVE-2025-31677

High

Published: 31 March 2025

Published
31 March 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-31677 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Drupal AI (Artificial Intelligence) contributed module. This flaw affects versions of the module from 1.0.0 up to but not including 1.0.2 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated attackers over the network with low complexity, requiring only user interaction such as a victim visiting a malicious webpage. Authenticated Drupal users with the AI module enabled are at risk; an attacker can trick them into performing unintended state-changing actions on the site via forged requests, potentially leading to high-impact compromises like unauthorized data access, modification, or denial of service.

The official Drupal security advisory SA-CONTRIB-2025-003 at https://www.drupal.org/sa-contrib-2025-003 details the issue and recommends upgrading to Drupal AI (Artificial Intelligence) version 1.0.2 or later, which resolves the CSRF protection deficiency. Site administrators should also review access controls for the module and ensure CSRF tokens are properly enforced on relevant endpoints.

Details

CWE(s)
CWE-352

Affected Products

artificial intelligence project
artificial intelligence
1.0.0 — 1.0.2

AI Security Analysis

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Drupal AI is a module for the Drupal CMS platform that integrates AI functionalities, fitting under 'Other Platforms' as it is a web platform extension for AI rather than a core ML framework, library, or specific AI subdomain.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

CSRF vulnerability in the Drupal AI module, part of a public-facing web application, enables adversaries to exploit it for initial access by forging authenticated requests on behalf of victims.

References