10.2.2
10.1.8
10.1.8
10.1.8
10.1.8
CVE-2024-11941 describes a Denial of Service (DoS) vulnerability within Drupal Core. An attacker can exploit this flaw by crafting malicious comment reply requests, leading to a service disruption. This vulnerability impacts Drupal Core versions 10.1.7 and earlier, but sites that do not utilize the Comment module are not vulnerable. A fix is available in version 10.1.8.
The primary impact of CVE-2024-11941 is a denial of service. An attacker can overwhelm the Drupal server with specially crafted comment reply requests, consuming resources and rendering the site unresponsive to legitimate users. This can disrupt critical business operations, impact user experience, and potentially lead to financial losses. The blast radius is limited to sites actively using the Comment module; however, the impact on those sites can be significant, potentially leading to complete unavailability.
CVE-2024-11941 was publicly disclosed on December 5, 2024. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The relatively low complexity of the vulnerability suggests that a PoC could be developed relatively easily.
Exploit Status
EPSS
0.69% (72% percentile)
CVSS Vector
The recommended mitigation for CVE-2024-11941 is to immediately upgrade Drupal Core to version 10.1.8 or later. If upgrading is not immediately feasible, consider disabling the Comment module if it is not essential for site functionality. While not a complete solution, implementing rate limiting on comment reply requests can help mitigate the impact of the vulnerability by preventing an attacker from overwhelming the server. After upgrading, verify the fix by attempting to submit a comment reply and confirming that the server remains responsive.
Update Drupal Core to version 10.2.2 or higher, or to version 10.1.8 or higher. This will fix the excessive allocation vulnerability that can lead to a denial of service. Back up your website before performing the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11941 is a denial-of-service vulnerability in Drupal Core affecting versions up to 10.1.7. Malicious comment reply requests can cause the site to become unresponsive.
You are affected if you are using Drupal Core version 10.1.7 or earlier and have the Comment module enabled. Sites without the Comment module are not vulnerable.
Upgrade Drupal Core to version 10.1.8 or later. If immediate upgrade is not possible, disable the Comment module or implement rate limiting.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the official Drupal security advisory at https://www.drupal.org/security/announcements/1603898
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.