CVE-2025-31691
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31691 is a missing authorization vulnerability (CWE-862) in the Drupal OAuth2 Server module that enables forceful browsing. The issue affects all versions of the OAuth2 Server module from 0.0.0 up to but not including 2.1.0.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can leverage forceful browsing to bypass authorization controls, potentially achieving high impacts on confidentiality, integrity, and availability of the affected Drupal instance.
The Drupal security advisory SA-CONTRIB-2025-020, available at https://www.drupal.org/sa-contrib-2025-020, documents the vulnerability and provides guidance on mitigation, including upgrading to OAuth2 Server version 2.1.0 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a critical unauthenticated remote authorization bypass (forceful browsing) in a public-facing Drupal OAuth2 Server module, directly enabling exploitation of public-facing applications for initial access with high impact on confidentiality, integrity, and availability.