Platform
drupal
Component
drupal
Fixed in
10.4.9
10.5.6
11.1.9
11.2.8
10.4.9
10.4.9
10.4.9
10.4.9
CVE-2025-13080 describes a Forceful Browsing vulnerability within Drupal Core. This flaw allows unauthorized access due to an improper check for unusual conditions. This impacts Drupal versions from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, and from 11.2.0 before 11.2.8. The vulnerability is fixed in version 10.4.9.
CVE-2025-13080 in Drupal core affects versions prior to 10.4.9, 10.5.6, 11.1.9, and 11.2.8, enabling a 'Forceful Browsing' attack. This stems from an improper check for unusual or exceptional conditions. An attacker could potentially access pages or resources that should not be visible to them, compromising sensitive information. The risk is significant, especially on websites handling confidential data or requiring strict access controls. The vulnerability relates to how Drupal handles navigation requests, allowing an attacker to bypass implemented access restrictions. The severity of the impact depends on the specific Drupal site configuration and the data that can be accessed without authorization. Applying the security updates provided by Drupal is highly recommended to mitigate this risk.
An attacker could exploit this vulnerability by manipulating the website's URLs to access protected pages or resources. This could involve adding unexpected parameters or routes to the URL. The success of the exploitation depends on the Drupal site's configuration and the presence of sensitive resources accessible through these manipulated routes. The vulnerability is based on a lack of proper user input validation, allowing an attacker to bypass access restrictions. It's important to note that exploiting this vulnerability might require a certain level of technical knowledge about Drupal and its internal workings.
Exploit Status
EPSS
0.10% (28% percentile)
The solution for CVE-2025-13080 is to update Drupal core to version 10.4.9 or higher, 10.5.6 or higher, 11.1.9 or higher, or 11.2.8 or higher, respectively. These updates correct the flawed check that enables 'Forceful Browsing'. It’s crucial to perform a full website backup before applying any updates. After the update, thoroughly test all website functionalities to ensure they are working correctly. Additionally, review permission and access configurations to ensure users only have access to the resources they need. Monitor server logs for any suspicious activity after the update. Timely application of these mitigation measures is essential to protect your Drupal site from potential attacks.
Actualice Drupal core a la última versión disponible. Para las versiones 10.x, actualice a la versión 10.4.9 o superior. Para las versiones 10.5.x, actualice a la versión 10.5.6 o superior. Para las versiones 11.0.x, actualice a la versión 11.1.9 o superior. Para las versiones 11.2.x, actualice a la versión 11.2.8 o superior.
Vulnerability analysis and critical alerts directly to your inbox.
It's an attack where an attacker attempts to access unauthorized pages or resources by manipulating URLs.
Drupal core versions prior to 8.0.0 (up to 10.4.9), 10.5.0 (up to 10.5.6), 11.0.0 (up to 11.1.9) and 11.2.0 (up to 11.2.8).
Check the version of Drupal you are using and compare it with the listed vulnerable versions. Perform navigation tests with different URLs to identify potential unauthorized accesses.
Implement additional security measures, such as reinforcing permission configurations and monitoring server logs.
Consult the Drupal security page: https://www.drupal.org/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.