Scan free
HIGHCVE-2022-25277CVSS 7.2

CVE-2022-25277: Drupal Core RCE via Filename Sanitization

Platform

drupal

Component

drupal

Fixed in

9.3.19

9.4.3

AI Confidence: highNVDEPSS 0.3%Reviewed: Mar 2026
View on NVD
Save

CVE-2022-25277 is a vulnerability in Drupal Core related to filename sanitization. It can lead to remote code execution (RCE) on Apache web servers if a site allows uploads of files with an .htaccess extension, bypassing core protections. This affects Drupal Core versions up to and including 9.3.9. The vulnerability is fixed in Drupal version 9.3.19.

Drupal

Detect this CVE in your project

Upload your composer.lock file and we'll tell you instantly if you're affected.

Upload composer.lock

Impact and Attack Scenarios

CVE-2022-25277 in Drupal Core affects how filenames are sanitized during upload. While Drupal already implemented measures to prevent the upload of files with dangerous extensions (like .htaccess) and stripped leading/trailing dots from filenames, these protections did not interact correctly. In configurations where .htaccess extensions were allowed, the filename sanitization would fail, potentially allowing malicious server configuration files to be uploaded. This could lead to remote code execution, compromising the website's security.

Exploitation Context

An attacker could exploit this vulnerability if the Drupal site is configured to allow uploads with the .htaccess extension and the filename sanitization is not functioning correctly. The attacker could upload a malicious .htaccess file containing rules to modify the web server configuration, enabling arbitrary code execution or unauthorized access to sensitive resources. The likelihood of exploitation depends on the specific site configuration and the presence of other vulnerabilities.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard33% still vulnerable

EPSS

0.29% (53% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdrupal
VendorDrupal
Affected rangeFixed in
9.3.0 – 9.3.189.3.19
9.4.0 – 9.4.29.4.3

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -279 days after disclosure

Mitigation and Workarounds

The solution to this vulnerability is to update Drupal Core to version 9.3.19 or higher. This update corrects the incorrect interaction between the filename sanitization protections. It's crucial to apply this update as soon as possible to mitigate the risk. Additionally, review your site's configuration to ensure that only necessary file extensions are allowed and that strict security policies are applied for file uploads. Regular website backups are also a good practice for recovery in case of an incident.

How to fix

Actualice Drupal Core a la versión 9.3.19 o superior, o a la versión 9.4.3 o superior. Esta actualización corrige una vulnerabilidad que podría permitir la ejecución remota de código en servidores Apache si se permite la carga de archivos con la extensión .htaccess.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-25277 — Remote Code Execution (RCE) in Drupal Core?

A .htaccess file is a configuration file used by Apache web servers to control server behavior within a specific directory. It can be used for redirecting traffic, protecting directories, and more.

Am I affected by CVE-2022-25277 in Drupal Core?

If you cannot update immediately, consider restricting file uploads to users with elevated privileges and monitor server logs for suspicious activity.

How do I fix CVE-2022-25277 in Drupal Core?

It only affects sites that allow uploads with the .htaccess extension. Review your site's configuration to determine if you are at risk.

Is CVE-2022-25277 being actively exploited?

You can find more information about this vulnerability on the Drupal website: [https://www.drupal.org/security/announce/9.3.19](https://www.drupal.org/security/announce/9.3.19)

Where can I find the official Drupal Core advisory for CVE-2022-25277?

KEV: no indicates that this vulnerability has not been cataloged in the Kernel Exploit Database (KEB).

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs