Platform
drupal
Component
drupal
Fixed in
10.3.13
10.4.3
11.0.12
11.1.3
10.3.13
10.3.13
10.3.13
10.3.13
CVE-2025-3057 is a Cross-Site Scripting (XSS) vulnerability in Drupal Core. This flaw allows attackers to inject malicious scripts into web pages, potentially leading to data theft or unauthorized actions. This affects Drupal core versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The vulnerability is fixed in version 10.3.13.
CVE-2025-3057 in Drupal Core represents a Cross-Site Scripting (XSS) vulnerability. This means an attacker could inject malicious code into Drupal web pages, which would then execute in the browsers of users visiting those pages. The impact can range from stealing session cookies and redirecting users to malicious websites, to modifying the content of the web page. This vulnerability affects multiple versions of Drupal Core, including versions 8.0.0 before 10.3.13, 10.4.0 before 10.4.3, 11.0.0 before 11.0.12, and 11.1.0 before 11.1.3. The vulnerability is rated as 6.1 on the CVSS scale, indicating a moderate risk. Updating Drupal to the patched version is crucial to mitigate this risk.
The vulnerability arises from improper neutralization of input during web page generation. An attacker could exploit this by injecting malicious JavaScript code through input fields that are not properly sanitized. This code would execute in the user's browser, allowing the attacker to perform various malicious actions. The exploitation context depends on the specific Drupal site configuration and vulnerable input fields. Lack of proper validation and escaping of user input is the root cause of this vulnerability. Drupal site administrators should be aware of this vulnerability and take steps to protect their websites.
Exploit Status
EPSS
0.35% (57% percentile)
CVSS Vector
The solution for CVE-2025-3057 is to update Drupal Core to a version that includes the fix. Specifically, update to version 10.3.13 or higher, 10.4.3 or higher, 11.0.12 or higher, or 11.1.3 or higher. In addition to updating, review custom code to identify and correct any potential XSS vulnerabilities. Implementing Content Security Policies (CSP) can help mitigate the impact of XSS attacks, even if the application isn't fully patched. Monitoring server logs for suspicious activity is also a good security practice. The update should be performed as soon as possible to minimize the attacker's window of opportunity.
Update Drupal core to the latest available version. If you are using a version prior to 10.3, update to version 10.3.13 or higher. If you are using version 10.4, update to version 10.4.3 or higher. If you are using version 11.0, update to version 11.0.12 or higher. If you are using version 11.1, update to version 11.1.3 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
Affected versions are Drupal Core 8.0.0 before 10.3.13, 10.4.0 before 10.4.3, 11.0.0 before 11.0.12, and 11.1.0 before 11.1.3.
You can verify the Drupal version on the site's administration page, in the 'Site information' section.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
CSP (Content Security Policy) is a security mechanism that allows website administrators to control the resources the browser is allowed to load for a web page.
You can find more information on the Drupal website and in vulnerability databases like CVE.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.