Platform
drupal
Component
drupal
Fixed in
10.3.13
10.4.3
11.0.12
11.1.3
10.3.13
10.3.13
10.3.13
10.3.13
CVE-2025-31673 is an Incorrect Authorization vulnerability within Drupal core that enables Forceful Browsing. This flaw could allow unauthorized access to certain resources. This affects Drupal core versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The vulnerability is fixed in version 10.3.13.
CVE-2025-31673 in Drupal Core represents an Incorrect Authorization vulnerability, resulting in Forceful Browsing. This means an attacker could potentially access sensitive information or perform unauthorized actions on the Drupal site without proper credentials. The vulnerability affects several Drupal Core versions: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The CVSS score is 4.6, indicating a moderate risk. Successful exploitation could lead to data breaches, privilege escalation, or other malicious activities. The core issue lies in insufficient validation of user permissions when accessing certain resources.
Forceful browsing occurs when an attacker can access pages or resources within a website without proper authorization. In the context of Drupal, this could involve accessing configuration files, administrative pages, or sensitive data by manipulating URLs or request parameters. Attackers may use automated scanning tools to identify authorization weaknesses and exploit the vulnerability. The success of exploitation depends on the specific Drupal site configuration and implemented security measures. The lack of adequate permission validation on certain routes is the root cause of this vulnerability.
Exploit Status
EPSS
0.28% (51% percentile)
CVSS Vector
The recommended mitigation is to update Drupal Core to the latest available version: 10.3.13, 10.4.3, 11.0.12, or 11.1.3, depending on your current version. Applying this update promptly is crucial to protect your website from potential attacks. Additionally, review user permissions and roles to ensure only authorized users have access to sensitive areas of the site. Regular security audits can also help identify and address other potential vulnerabilities. The update is the most effective and direct solution to eliminate this threat.
Update Drupal core to the latest available version. If you are using a version prior to 10.3.x, update to version 10.3.13 or higher. If you are using version 10.4.x, update to version 10.4.3 or higher. If you are using version 11.0.x, update to version 11.0.12 or higher. If you are using version 11.1.x, update to version 11.1.3 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
It's an attack technique that allows an attacker to access pages or resources without proper authorization.
Drupal 8.0.0 - 10.3.12, 10.4.0 - 10.4.2, 11.0.0 - 11.0.11, and 11.1.0 - 11.1.2.
Access the Drupal admin panel and verify the version in the site information section.
Implement additional security measures, such as strengthening user permissions and monitoring the site for suspicious activity.
Web security scanners can detect this vulnerability, but updating remains the most effective solution.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.