プラットフォーム
drupal
コンポーネント
config_pages
修正版
2.18.0
CVE-2025-8361 describes a Missing Authorization vulnerability within Drupal Config Pages. This flaw allows attackers to perform Forceful Browsing, potentially exposing sensitive configuration data. The vulnerability affects versions from 0.0.0 up to and including 2.18.0. A fix is available in version 2.18.0.
The core impact of CVE-2025-8361 lies in the potential for unauthorized access to Drupal configuration settings. Forceful Browsing allows an attacker to navigate to restricted areas of the Config Pages module without proper authentication. This could expose sensitive information such as database connection details, API keys, or other configuration parameters that could be leveraged to compromise the entire Drupal site. Successful exploitation could lead to data breaches, privilege escalation, or even complete site takeover. The blast radius extends to any system relying on the exposed configuration data.
CVE-2025-8361 was publicly disclosed on 2025-08-15. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The probability of exploitation is currently assessed as low, but the ease of exploitation should be considered.
Drupal sites utilizing the Config Pages module, particularly those with older versions (0.0.0 - 2.18.0), are at risk. Shared hosting environments where multiple Drupal sites share the same server configuration are also at increased risk, as a compromise of one site could potentially expose configuration data for others.
• drupal: Examine Drupal logs for unusual access attempts to configuration endpoints. Look for requests originating from unexpected IP addresses or user agents.
journalctl -u apache2 -f | grep "Config Pages"• generic web: Use curl to attempt accessing configuration endpoints without authentication. A successful response indicates potential exploitation.
curl -I http://your-drupal-site.com/admin/config/config-pages/sensitive-settingdisclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
The primary mitigation for CVE-2025-8361 is to immediately upgrade Drupal Config Pages to version 2.18.0 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter access controls on the Config Pages module. This could involve restricting access to specific configuration pages based on user roles or implementing additional authentication layers. While not a complete fix, this can reduce the attack surface. Monitor Drupal logs for any unusual access patterns to configuration endpoints. After upgrading, confirm the fix by attempting to access configuration pages without proper authentication; access should be denied.
Actualice el módulo Config Pages a la versión 2.18.0 o superior. Esta actualización corrige la vulnerabilidad de omisión de autorización. Puede actualizar a través de la interfaz de administración de Drupal o utilizando Composer.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-8361 is a Missing Authorization vulnerability in Drupal Config Pages allowing Forceful Browsing, enabling unauthorized access to configuration data.
You are affected if you are using Drupal Config Pages versions 0.0.0 through 2.18.0. Upgrade to 2.18.0 or later to resolve the issue.
Upgrade Drupal Config Pages to version 2.18.0 or later. If immediate upgrade is not possible, implement stricter access controls on configuration pages.
There are currently no known active exploits, but the vulnerability is publicly disclosed and could be targeted.
Refer to the official Drupal security advisory for CVE-2025-8361 on the Drupal.org website.
composer.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。