Cross-Site Request Forgery Vulnerability in Drupal's General Data Protection Regulation Plugin
CVE-2025-31689

8.1HIGH

Key Information:

Vendor: Drupal
Status: General Data Protection Regulation
Vendor: CVE Published:; 31 March 2025

Summary

A Cross-Site Request Forgery (CSRF) vulnerability in the General Data Protection Regulation plugin for Drupal allows attackers to execute unauthorized actions on behalf of an authenticated user. This vulnerability affects versions from 0.0.0 up to, but not including, 3.0.1 and from 3.1.0 up to, but not including, 3.1.2. Exploiting this flaw could enable malicious entities to manipulate user sessions, leading to potential data breaches or unauthorized access to sensitive information. Users are advised to update to the latest patched versions to mitigate the risks associated with this vulnerability.

Affected Version(s)

General Data Protection Regulation 0.0.0 < 3.0.1

General Data Protection Regulation 3.1.0 < 3.1.2

References

https://www.drupal.org/sa-contrib-2025-018

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

Pierre Rudloff (prudloff)

Peter PÃ³nya (pedrop)

szato

Greg Knaddison (greggles)