CVE-2022-25277 – This vulnerability allows attackers to bypass D... (How to Fix)

Q: What is the severity of CVE-2022-25277?

CVE-2022-25277 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to bypass Drupal's filename sanitization when .htaccess files are explicitly allowed for upload, potentially leading to remote code execution on Apache servers. It affects Drupal sites where administrators have configured file fields to permit .htaccess extensions. The risk is limited because it requires specific administrative configuration.

📋 TL;DR

This vulnerability allows attackers to bypass Drupal's filename sanitization when .htaccess files are explicitly allowed for upload, potentially leading to remote code execution on Apache servers. It affects Drupal sites where administrators have configured file fields to permit .htaccess extensions. The risk is limited because it requires specific administrative configuration.

💻 Affected Systems

Products:

Drupal Core

Versions: Drupal 9.3.x before 9.3.14, 9.4.x before 9.4.3, and 10.0.x before 10.0.2

Operating Systems: All operating systems running Apache web server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if administrators explicitly configure file fields to allow .htaccess extensions, which is a restricted permission.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on Apache web servers through malicious .htaccess file upload, potentially leading to full server compromise.

🟠

Likely Case

Limited impact since most sites don't allow .htaccess uploads; attackers would need administrative access to configure vulnerable file fields first.

🟢

If Mitigated

No impact if .htaccess uploads are not explicitly allowed or if the patch is applied.

🌐 Internet-Facing: MEDIUM - Only affects sites with specific misconfigurations, but could lead to RCE if exploited.

🏢 Internal Only: LOW - Requires administrative configuration changes that are unlikely in properly managed environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires administrative access to configure vulnerable file fields first, then uploading malicious .htaccess files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 9.3.14, 9.4.3, or 10.0.2

Vendor Advisory: https://www.drupal.org/sa-core-2022-014

Restart Required: No

Instructions:

1. Update Drupal core to version 9.3.14, 9.4.3, or 10.0.2 or higher. 2. Run update.php or use drush/drupal console: 'drush up drupal' or 'composer update drupal/core-recommended --with-dependencies'. 3. Clear all caches.

🔧 Temporary Workarounds

Disable .htaccess file uploads

all

Remove .htaccess from allowed extensions in all file fields

Navigate to Content -> Structure -> Content types -> Manage fields -> Edit file field -> Remove 'htaccess' from allowed extensions

🧯 If You Can't Patch

Review all file field configurations and ensure .htaccess is not in allowed extensions list
Implement web application firewall rules to block .htaccess file uploads at the network level

🔍 How to Verify

Check if Vulnerable:

Check Drupal version: if running 9.3.x < 9.3.14, 9.4.x < 9.4.3, or 10.0.x < 10.0.2 AND have file fields allowing .htaccess extensions.

Check Version:

drush status | grep 'Drupal version' OR check /admin/reports/status page

Verify Fix Applied:

Verify Drupal version is 9.3.14+, 9.4.3+, or 10.0.2+ using 'drush status' or check /admin/reports/status

📡 Detection & Monitoring

Log Indicators:

File upload attempts with .htaccess extension
Apache error logs showing .htaccess parsing errors

Network Indicators:

HTTP POST requests uploading files with .htaccess extension

SIEM Query:

source="apache_access" AND uri_path="*upload*" AND request_body="*.htaccess*"

📊 Metadata

CVE ID: CVE-2022-25277

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 26, 2023

Last Updated: February 3, 2025

🔗 References

https://www.drupal.org/sa-core-2022-014 Vendor Advisory
https://www.drupal.org/sa-core-2022-014 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25277, you might also want to check these: