Cross-Site Request Forgery Vulnerability in Drupal's General Data Protection Regulation Plugin
CVE-2025-31689

8.1HIGH

Key Information:

Vendor

Drupal
Status
General Data Protection Regulation
Vendor
CVE Published:
31 March 2025

What is CVE-2025-31689?

A Cross-Site Request Forgery (CSRF) vulnerability in the General Data Protection Regulation plugin for Drupal allows attackers to execute unauthorized actions on behalf of an authenticated user. This vulnerability affects versions from 0.0.0 up to, but not including, 3.0.1 and from 3.1.0 up to, but not including, 3.1.2. Exploiting this flaw could enable malicious entities to manipulate user sessions, leading to potential data breaches or unauthorized access to sensitive information. Users are advised to update to the latest patched versions to mitigate the risks associated with this vulnerability.

Affected Version(s)

General Data Protection Regulation 0.0.0 < 3.0.1

General Data Protection Regulation 3.1.0 < 3.1.2

References

https://www.drupal.org/sa-contrib-2025-018

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Peter Pónya (pedrop)
szato
Greg Knaddison (greggles)
.
CVE-2025-31689 : Cross-Site Request Forgery Vulnerability in Drupal's General Data Protection Regulation Plugin