Plattform
drupal
Komponente
drupal
Behoben in
10.3.13
10.4.3
11.0.12
11.1.3
10.3.13
10.3.13
10.3.13
10.3.13
CVE-2025-31674 describes an Object Injection vulnerability within Drupal Core. This flaw allows for Improperly Controlled Modification of Dynamically-Determined Object Attributes, potentially leading to unauthorized actions or data manipulation. This affects Drupal core versions from 8.0.0 before 10.3.13, 10.4.0 before 10.4.3, 11.0.0 before 11.0.12, and 11.1.0 before 11.1.3. The vulnerability is fixed in version 10.3.13.
CVE-2025-31674 is an object injection vulnerability in Drupal core that allows an attacker to modify dynamically-determined object attributes in an uncontrolled manner. This can lead to remote code execution, privilege escalation, or denial of service, depending on how the injection is utilized. The vulnerability affects Drupal core versions from 8.0.0 up to 10.3.12, 10.4.0 up to 10.4.2, 11.0.0 up to 11.0.11, and 11.1.0 up to 11.1.2. The severity of this vulnerability is high, as an attacker may be able to exploit it without authentication in many cases. Object injection is a critical vulnerability requiring immediate attention to prevent security breaches.
The vulnerability is exploited through the manipulation of dynamically determined object attributes. An attacker could inject malicious code into the attributes of an object, which would then be executed by Drupal. The lack of proper input validation allows attackers to control the values of these attributes. The exploitation context depends on the specific configuration of the Drupal site and installed modules. A deep understanding of Drupal's internal workings is required to effectively exploit this vulnerability. The absence of required authentication in some cases facilitates exploitation, increasing the risk to vulnerable websites.
Exploit-Status
EPSS
1.04% (77% Perzentil)
The primary mitigation for CVE-2025-31674 is to update Drupal core to version 10.3.13, 10.4.3, 11.0.12, or 11.1.3, respectively. These versions include the necessary patches to address the vulnerability. Additionally, it's recommended to review third-party modules installed to ensure they are also updated and do not introduce new vulnerabilities. Implementing good security practices, such as input validation and data sanitization, can also help reduce the risk of exploitation. Monitoring server logs for suspicious activity is crucial for detecting and responding to potential attacks. Regular security audits of the Drupal site can help identify and remediate vulnerabilities before they are exploited.
Actualice Drupal core a la última versión disponible. Específicamente, actualice a la versión 10.3.13 o superior, 10.4.3 o superior, 11.0.12 o superior, o 11.1.3 o superior, dependiendo de la rama de Drupal que esté utilizando. Esto solucionará la vulnerabilidad de inyección de objetos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Object injection is a vulnerability that allows an attacker to manipulate the attributes of objects in a program, potentially leading to the execution of malicious code.
If your Drupal site is using a vulnerable version, an attacker could execute malicious code on your server, compromising the security of your site and your data.
If you can't update immediately, consider implementing temporary mitigation measures, such as restricting access to certain areas of the site and monitoring server logs.
There are vulnerability scanners that can detect CVE-2025-31674. You can also review server logs for suspicious activity.
You can find more information about CVE-2025-31674 on the National Vulnerability Database (NVD) website and in Drupal's documentation.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.