CVE-2022-25273 – This vulnerability in Drupal's form API allows ... (How to Fix)

📋 TL;DR

This vulnerability in Drupal's form API allows attackers to bypass input validation on certain contributed or custom module forms. Attackers could inject disallowed values or overwrite data, potentially altering sensitive information. Drupal sites using vulnerable custom or contributed modules are affected.

💻 Affected Systems

Products:

Drupal Core

Versions: Drupal 9.3.x before 9.3.13, 9.4.x before 9.4.3, 10.0.x before 10.0.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects sites with contributed or custom modules that have specific form implementations. Core Drupal forms are not affected.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical data corruption or unauthorized modification of sensitive information like user permissions, configuration settings, or content data.

🟠

Likely Case

Limited data manipulation on specific forms where vulnerable modules are installed, potentially affecting form submissions or stored values.

🟢

If Mitigated

No impact if vulnerable modules are not installed or proper input validation is already implemented at application layer.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of vulnerable custom/contributed modules and their form implementations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 9.3.13, 9.4.3, or 10.0.2

Vendor Advisory: https://www.drupal.org/sa-core-2022-008

Restart Required: No

Instructions:

1. Update Drupal core to patched version via Composer: composer update drupal/core-recommended --with-dependencies
2. Run database updates: drush updatedb
3. Clear caches: drush cache:rebuild

🔧 Temporary Workarounds

Disable vulnerable modules

all

Identify and disable any contributed or custom modules with vulnerable form implementations

drush pm:list --status=enabled --type=module
drush pm:uninstall MODULE_NAME

🧯 If You Can't Patch

Implement additional input validation in custom/contributed module forms
Restrict access to vulnerable forms using Drupal's permission system

🔍 How to Verify

Check if Vulnerable:

Check Drupal version: drush status | grep 'Drupal version'

Check Version:

drush status | grep 'Drupal version'

Verify Fix Applied:

Verify version is 9.3.13, 9.4.3, or 10.0.2 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual form submissions with unexpected parameter values
Failed validation attempts on custom forms

Network Indicators:

POST requests to Drupal forms with unexpected parameters

SIEM Query:

web_requests WHERE url_path CONTAINS '/form/' AND parameters CONTAINS unexpected values

📊 Metadata

CVE ID: CVE-2022-25273

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-20

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

https://www.drupal.org/sa-core-2022-008 Vendor Advisory
https://www.drupal.org/sa-core-2022-008 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25273, you might also want to check these: