CVE-2025-31692

CVE-2025-31692 is an OS Command Injection vulnerability (CWE-78) in the Drupal AI (Artificial Intelligence) module, stemming from improper neutralization of special elements used in OS commands. This flaw affects all versions of the module from 0.0.0 up to but not including 1.0.5. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact despite elevated attack complexity.

A low-privileged user (PR:L) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H) and does not change scope (S:U). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:I:A:H), enabling arbitrary OS command execution on the hosting server.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-021 details the issue and mitigation, recommending an upgrade to Drupal AI version 1.0.5 or later to address the vulnerability.

This vulnerability is notable for affecting a Drupal module specifically designed for artificial intelligence functionalities, highlighting potential risks in AI-integrated web applications. No public information on real-world exploitation is available as of the CVE publication on 2025-03-31.