Plattform
drupal
Komponente
drupal
Behoben in
10.4.9
10.5.6
11.1.9
11.2.8
10.4.9
CVE-2025-13081 describes an Object Injection vulnerability within Drupal Core. This flaw allows for improperly controlled modification of dynamically-determined object attributes, potentially leading to security compromises. This affects Drupal Core versions from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, and from 11.2.0 before 11.2.8. The vulnerability is fixed in version 10.4.9.
Successful exploitation of CVE-2025-13081 could allow an attacker to inject malicious objects into Drupal's system, potentially leading to arbitrary code execution or data manipulation. An attacker could leverage this to gain unauthorized access to sensitive data, modify configurations, or even take complete control of the Drupal instance. The blast radius extends to any data accessible through the Drupal application, including user credentials, financial information, and business-critical data. While specific real-world exploits haven't been publicly reported for this exact vulnerability, object injection vulnerabilities in similar systems have historically been exploited to achieve remote code execution.
CVE-2025-13081 was published on 2025-11-18. Its severity is currently being evaluated. No public proof-of-concept exploits are currently known. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor Drupal security advisories and community discussions for any updates on exploitation attempts.
Exploit-Status
EPSS
0.20% (42% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-13081 is to upgrade Drupal Core to version 10.4.9 or later. If an immediate upgrade is not feasible, consider implementing stricter access controls to limit the potential impact of a successful attack. Review and harden Drupal's configuration to minimize the attack surface. While a direct workaround isn't available, ensuring all modules are up-to-date and following Drupal's security best practices can reduce the risk. After upgrading, confirm the fix by attempting to reproduce the vulnerability using known attack vectors and verifying that the system behaves as expected.
Actualice Drupal core a la última versión disponible. Específicamente, actualice a la versión 10.4.9, 10.5.6, 11.1.9 o 11.2.8, o una versión posterior. Esto solucionará la vulnerabilidad de inyección de objetos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Object injection is a vulnerability that allows an attacker to manipulate how an application handles objects, potentially executing malicious code.
If you cannot update immediately, consider implementing additional security measures, such as restricting access to sensitive areas of the website and monitoring server logs for suspicious activity.
The vulnerability affects websites using the mentioned Drupal core versions. If you are using a more recent version, you are already protected.
You can find more information about this vulnerability on the Drupal website and vulnerability databases like NIST NVD.
You can verify the Drupal version you are using by accessing the website's administration page and looking for version information in the site information section.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.