Platform
drupal
Component
drupal
Fixed in
10.4.9
10.5.6
11.1.9
11.2.8
10.4.9
CVE-2025-13081 describes an Object Injection vulnerability within Drupal Core. This flaw allows for improperly controlled modification of dynamically-determined object attributes, potentially leading to security compromises. This affects Drupal Core versions from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, and from 11.2.0 before 11.2.8. The vulnerability is fixed in version 10.4.9.
CVE-2025-13081 in Drupal core represents a risk of object injection due to improperly controlled modification of dynamically-determined object attributes. This means an attacker could manipulate how Drupal handles objects, potentially executing malicious code or accessing sensitive information. The vulnerability affects Drupal core versions from 8.0.0 up to 10.4.8, 10.5.0 up to 10.5.5, 11.0.0 up to 11.1.8, and 11.2.0 up to 11.2.7. The CVSS severity score is 5.9, indicating a moderate risk. Successful exploitation could compromise the integrity and confidentiality of the Drupal website. Applying the security update is crucial to mitigate this risk.
Exploitation of this vulnerability requires an attacker to have the ability to influence the attributes of objects that Drupal is manipulating. This could be achieved through manipulating input data, such as forms or URL parameters. The attacker could then inject malicious code that executes in the context of the Drupal user with corresponding permissions. The potential impact varies depending on the permissions of the affected user and the website configuration. Whether this vulnerability has been actively exploited in the wild is unknown, but preventative measures are recommended to avoid potential attacks.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The solution for CVE-2025-13081 is to update Drupal core to version 10.4.9 or higher, 10.5.6 or higher, 11.1.9 or higher, or 11.2.8 or higher, respectively. Drupal has released a security update that directly addresses this vulnerability. It is recommended to apply this update as soon as possible, especially if your Drupal website handles sensitive information or receives high traffic volume. Additionally, review contributed modules to ensure they are also updated, as they might be indirectly affected. Back up your website before applying any updates to allow for restoration in case of issues.
Update Drupal core to the latest available version. Specifically, update to version 10.4.9, 10.5.6, 11.1.9, or 11.2.8, or a later version. This will resolve the object injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
Object injection is a vulnerability that allows an attacker to manipulate how an application handles objects, potentially executing malicious code.
If you cannot update immediately, consider implementing additional security measures, such as restricting access to sensitive areas of the website and monitoring server logs for suspicious activity.
The vulnerability affects websites using the mentioned Drupal core versions. If you are using a more recent version, you are already protected.
You can find more information about this vulnerability on the Drupal website and vulnerability databases like NIST NVD.
You can verify the Drupal version you are using by accessing the website's administration page and looking for version information in the site information section.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.