Login Sign Up

CVE-2022-25275

7.5 HIGH

📋 TL;DR

This vulnerability allows unauthorized access to image files stored in non-standard file systems when insecure derivatives are enabled. It affects Drupal sites using contributed modules that implement custom file schemes and have explicitly enabled insecure image derivative generation. The default configuration is secure, so only sites with specific customizations are vulnerable.

💻 Affected Systems

Products:
  • Drupal
Versions: Drupal 7 and Drupal 9 (specific versions listed in Drupal security advisory)
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when $config['image.settings']['allow_insecure_derivatives'] (D9) or $conf['image_allow_insecure_derivatives'] (D7) is set to TRUE AND using contributed modules with custom file schemes.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive image files stored in custom file systems, potentially exposing confidential information or private user data.

🟠

Likely Case

Limited exposure of non-public images if a site has both custom file systems and insecure derivatives enabled.

🟢

If Mitigated

No impact if insecure derivatives are disabled (the default setting).

🌐 Internet-Facing: MEDIUM - Only affects sites with specific configuration changes, but could expose sensitive data if exploited.
🏢 Internal Only: LOW - Internal systems are less likely to have the specific vulnerable configuration enabled.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific knowledge of custom file schemes and access to image derivative URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 9.3.19, 9.4.3, and Drupal 7.92 (or later security releases)

Vendor Advisory: https://www.drupal.org/sa-core-2022-012

Restart Required: No

Instructions:

1. Update Drupal core to the patched version. 2. If using Drupal 9, update via Composer: composer update drupal/core-recommended --with-dependencies. 3. If using Drupal 7, download and apply the security update manually. 4. Clear all caches after update.

🔧 Temporary Workarounds

Disable insecure derivatives

all

Ensure $config['image.settings']['allow_insecure_derivatives'] (D9) or $conf['image_allow_insecure_derivatives'] (D7) is set to FALSE.

Edit settings.php and set the appropriate variable to FALSE

🧯 If You Can't Patch

  • Ensure insecure derivatives are disabled in configuration
  • Restrict access to image derivative URLs via web server configuration or WAF rules

🔍 How to Verify

Check if Vulnerable:

Check if allow_insecure_derivatives is TRUE in settings.php and if using custom file schemes via contributed modules.

Check Version:

For Drupal 9: drush status | grep 'Drupal version'. For Drupal 7: Check CHANGELOG.txt or admin/reports/status.

Verify Fix Applied:

Verify Drupal version is patched (9.3.19+, 9.4.3+, or 7.92+) and check that image styles work correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to image derivative URLs
  • Failed access attempts to non-public image files

Network Indicators:

  • Requests to image derivative URLs with unusual file paths or schemes

SIEM Query:

web_access_logs WHERE uri CONTAINS '/sites/default/files/styles/' AND (status_code = 200 OR status_code = 403) AND referrer IS NULL

📊 Metadata

CVE ID: CVE-2022-25275
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: April 26, 2023
Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON