Platform
drupal
Component
drupal
Fixed in
10.4.9
10.5.6
11.1.9
11.2.8
7.103.1
10.4.9
CVE-2025-13083 describes a use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Core. This issue allows for the exploitation of incorrectly configured access control security levels, potentially leading to the exposure of sensitive data. The vulnerability impacts Drupal Core versions 8.0.0 through 9.5.9, as well as 10.5.0, 11.0.0, 11.1.0, and 11.2.0. A fix is available in Drupal 10.4.9.
An attacker could exploit this vulnerability to access sensitive information cached by the web browser. This could include user data, session tokens, or other confidential information that should not be publicly accessible. The impact is amplified if the Drupal site handles Personally Identifiable Information (PII) or other regulated data. Successful exploitation could lead to unauthorized access to user accounts, data breaches, and potential reputational damage. While the CVSS score is LOW, the potential for sensitive data exposure warrants prompt remediation.
CVE-2025-13083 was published on 2025-11-18. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not currently known. The vulnerability's LOW CVSS score suggests a relatively low probability of exploitation, but proactive patching is still recommended.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The primary mitigation for CVE-2025-13083 is to upgrade Drupal Core to version 10.4.9 or later. Prior to upgrading, it is recommended to create a full backup of the Drupal site, including the database and files. If an upgrade is not immediately feasible, review and tighten access control configurations to minimize the potential for unauthorized access to sensitive data. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to access cached sensitive information. After upgrading, verify the fix by attempting to access sensitive resources through the browser cache and confirming that access is denied.
Update Drupal core to the latest available version. For 7.x versions, update to version 7.103 or higher. For 8.x to 10.4.x versions, update to version 10.4.9 or higher. For 10.5.x versions, update to version 10.5.6 or higher. For 11.0.x versions, update to version 11.1.9 or higher. For 11.2.x versions, update to version 11.2.8 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13083 is a vulnerability in Drupal Core that allows exploitation of incorrectly configured access control security levels, potentially exposing sensitive information through browser caching. It affects versions ≤9.5.9.
You are affected if you are using Drupal Core versions 8.0.0 through 9.5.9, or 10.5.0, 11.0.0, 11.1.0, or 11.2.0. Versions 10.4.9 and later are not affected.
Upgrade Drupal Core to version 10.4.9 or later. Back up your site before upgrading and review access control configurations.
There is currently no indication of active exploitation of CVE-2025-13083.
Refer to the official Drupal security advisory on the Drupal.org website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.