Platform
drupal
Component
drupal
Fixed in
1.0.3
1.0.4
CVE-2025-13982 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Drupal Login Time Restriction module. This vulnerability allows an attacker to potentially perform unauthorized actions on a user's account if they can trick the user into clicking a malicious link. The vulnerability affects versions of the module prior to 1.0.3 and has been published on 2026-01-28. A fix is available in version 1.0.3.
A successful CSRF attack can lead to an attacker performing actions as the logged-in user without their knowledge or consent. In the context of the Drupal Login Time Restriction module, this could involve manipulating login time restrictions, potentially granting unauthorized access or bypassing security measures. The impact is heightened if the affected Drupal site handles sensitive data or performs critical operations. While the specific impact depends on the configuration and usage of the Login Time Restriction module, the potential for unauthorized actions warrants immediate attention. This vulnerability is similar to other CSRF vulnerabilities in Drupal modules, where improper input validation and lack of CSRF tokens can be exploited.
The vulnerability was publicly disclosed on 2026-01-28. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept (POC) code is not currently available, but the CSRF nature of the vulnerability suggests that a POC could be developed relatively easily. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The primary mitigation for CVE-2025-13982 is to upgrade the Drupal Login Time Restriction module to version 1.0.3 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as carefully reviewing and validating all user inputs, particularly those related to login time restrictions. Implementing robust CSRF token protection mechanisms throughout the Drupal site is also crucial. Ensure that all forms and sensitive actions require a valid CSRF token to prevent unauthorized requests. After upgrading, confirm the fix by attempting a CSRF attack on a test environment to verify that the protection is effective.
Update the Login Time Restriction module to version 1.0.3 or higher. This version fixes the CSRF vulnerability. You can update through the Drupal administration interface or by downloading the new version from Drupal.org and replacing the module files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13982 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Drupal Login Time Restriction module, allowing attackers to perform unauthorized actions.
You are affected if you are using Drupal Login Time Restriction version 1.0.3 or earlier. Upgrade to 1.0.3 to mitigate the risk.
Upgrade the Drupal Login Time Restriction module to version 1.0.3 or later. Implement CSRF token protection as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Drupal security advisory page for the latest information and updates regarding CVE-2025-13982.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.