Platform
drupal
Component
drupal
Fixed in
10.3.13
10.4.3
11.0.12
11.1.3
10.3.13
10.3.13
10.3.13
10.3.13
CVE-2025-31674 describes an Object Injection vulnerability within Drupal Core. This flaw allows for Improperly Controlled Modification of Dynamically-Determined Object Attributes, potentially leading to unauthorized actions or data manipulation. This affects Drupal core versions from 8.0.0 before 10.3.13, 10.4.0 before 10.4.3, 11.0.0 before 11.0.12, and 11.1.0 before 11.1.3. The vulnerability is fixed in version 10.3.13.
CVE-2025-31674 is an object injection vulnerability in Drupal core that allows an attacker to modify dynamically-determined object attributes in an uncontrolled manner. This can lead to remote code execution, privilege escalation, or denial of service, depending on how the injection is utilized. The vulnerability affects Drupal core versions from 8.0.0 up to 10.3.12, 10.4.0 up to 10.4.2, 11.0.0 up to 11.0.11, and 11.1.0 up to 11.1.2. The severity of this vulnerability is high, as an attacker may be able to exploit it without authentication in many cases. Object injection is a critical vulnerability requiring immediate attention to prevent security breaches.
The vulnerability is exploited through the manipulation of dynamically determined object attributes. An attacker could inject malicious code into the attributes of an object, which would then be executed by Drupal. The lack of proper input validation allows attackers to control the values of these attributes. The exploitation context depends on the specific configuration of the Drupal site and installed modules. A deep understanding of Drupal's internal workings is required to effectively exploit this vulnerability. The absence of required authentication in some cases facilitates exploitation, increasing the risk to vulnerable websites.
Exploit Status
EPSS
1.04% (77% percentile)
The primary mitigation for CVE-2025-31674 is to update Drupal core to version 10.3.13, 10.4.3, 11.0.12, or 11.1.3, respectively. These versions include the necessary patches to address the vulnerability. Additionally, it's recommended to review third-party modules installed to ensure they are also updated and do not introduce new vulnerabilities. Implementing good security practices, such as input validation and data sanitization, can also help reduce the risk of exploitation. Monitoring server logs for suspicious activity is crucial for detecting and responding to potential attacks. Regular security audits of the Drupal site can help identify and remediate vulnerabilities before they are exploited.
Actualice Drupal core a la última versión disponible. Específicamente, actualice a la versión 10.3.13 o superior, 10.4.3 o superior, 11.0.12 o superior, o 11.1.3 o superior, dependiendo de la rama de Drupal que esté utilizando. Esto solucionará la vulnerabilidad de inyección de objetos.
Vulnerability analysis and critical alerts directly to your inbox.
Object injection is a vulnerability that allows an attacker to manipulate the attributes of objects in a program, potentially leading to the execution of malicious code.
If your Drupal site is using a vulnerable version, an attacker could execute malicious code on your server, compromising the security of your site and your data.
If you can't update immediately, consider implementing temporary mitigation measures, such as restricting access to certain areas of the site and monitoring server logs.
There are vulnerability scanners that can detect CVE-2025-31674. You can also review server logs for suspicious activity.
You can find more information about CVE-2025-31674 on the National Vulnerability Database (NVD) website and in Drupal's documentation.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.