Object Injection Vulnerability in Drupal Core
CVE-2025-31674

7.5HIGH

Key Information:

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 31 March 2025

Summary

This vulnerability in Drupal core allows for improper control over the modification of dynamically-determined object attributes, leading to potential object injection attacks. Malicious users could exploit this issue to manipulate objects in a way that circumvents intended application logic, potentially compromising the security of the application. It is essential for users of affected Drupal versions to apply the necessary updates to mitigate potential risks.

Affected Version(s)

Drupal core 8.0.0 < 10.3.13

Drupal core 10.4.0 < 10.4.3

Drupal core 11.0.0 < 11.0.12

References

https://www.drupal.org/sa-core-2025-003

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

anzuukino

shin24

ghost of drupal past

Dave Long (longwave)

Drew Webber (mcdruid)

nicxvan

shin24