Platform
drupal
Component
config_pages
Fixed in
2.18.0
CVE-2025-8361 describes a Missing Authorization vulnerability within Drupal Config Pages. This flaw allows attackers to perform Forceful Browsing, potentially exposing sensitive configuration data. The vulnerability affects versions from 0.0.0 up to and including 2.18.0. A fix is available in version 2.18.0.
The core impact of CVE-2025-8361 lies in the potential for unauthorized access to Drupal configuration settings. Forceful Browsing allows an attacker to navigate to restricted areas of the Config Pages module without proper authentication. This could expose sensitive information such as database connection details, API keys, or other configuration parameters that could be leveraged to compromise the entire Drupal site. Successful exploitation could lead to data breaches, privilege escalation, or even complete site takeover. The blast radius extends to any system relying on the exposed configuration data.
CVE-2025-8361 was publicly disclosed on 2025-08-15. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The probability of exploitation is currently assessed as low, but the ease of exploitation should be considered.
Exploit Status
EPSS
0.04% (13% percentile)
The primary mitigation for CVE-2025-8361 is to immediately upgrade Drupal Config Pages to version 2.18.0 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter access controls on the Config Pages module. This could involve restricting access to specific configuration pages based on user roles or implementing additional authentication layers. While not a complete fix, this can reduce the attack surface. Monitor Drupal logs for any unusual access patterns to configuration endpoints. After upgrading, confirm the fix by attempting to access configuration pages without proper authentication; access should be denied.
Update the Config Pages module to version 2.18.0 or higher. This update corrects the authorization bypass vulnerability. You can update through the Drupal administration interface or using Composer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8361 is a Missing Authorization vulnerability in Drupal Config Pages allowing Forceful Browsing, enabling unauthorized access to configuration data.
You are affected if you are using Drupal Config Pages versions 0.0.0 through 2.18.0. Upgrade to 2.18.0 or later to resolve the issue.
Upgrade Drupal Config Pages to version 2.18.0 or later. If immediate upgrade is not possible, implement stricter access controls on configuration pages.
There are currently no known active exploits, but the vulnerability is publicly disclosed and could be targeted.
Refer to the official Drupal security advisory for CVE-2025-8361 on the Drupal.org website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.