CVE-2025-11570
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in the drupal-pattern-lab/unified-twig-extensions package due to insufficient data filtering. It affects systems using this unmaintained package, but only when code is executed outside of Drupal's security context. The vulnerability enables attackers to inject malicious scripts that could steal user data or perform unauthorized actions.
💻 Affected Systems
- drupal-pattern-lab/unified-twig-extensions
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of authenticated users.
Likely Case
Limited XSS exploitation affecting specific components that use the vulnerable functions outside Drupal's security sandbox.
If Mitigated
No impact when code runs within Drupal's security context or with proper input validation in place.
🎯 Exploit Status
Exploitation requires specific conditions: vulnerable code must run outside Drupal's security context and accept user-controlled input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1 of drupal/unified_twig_ext
Vendor Advisory: https://www.drupal.org/sa-contrib-2023-041
Restart Required: No
Instructions:
1. Remove drupal-pattern-lab/unified-twig-extensions package. 2. Install drupal/unified_twig_ext version 1.1.1 or later via Composer: composer require drupal/unified_twig_ext:^1.1.1. 3. Update any references in your codebase.
🔧 Temporary Workarounds
Disable vulnerable functions
allPrevent execution of the vulnerable link function outside Drupal context
Modify code to ensure link() function only runs within Drupal's security context
Input validation wrapper
allAdd custom input filtering to sanitize all data passed to vulnerable functions
Implement HTML entity encoding or use Drupal's built-in sanitization functions
🧯 If You Can't Patch
- Ensure all code using this package runs exclusively within Drupal's security context
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check composer.json for 'drupal-pattern-lab/unified-twig-extensions' dependency or search codebase for references to this package.Check Version:
composer show drupal/unified_twig_ext | grep versionsVerify Fix Applied:
Verify composer.json shows 'drupal/unified_twig_ext' version 1.1.1 or later, and no references to the vulnerable package remain.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in Pattern Lab contexts
- Unexpected link function calls outside Drupal
Network Indicators:
- Suspicious script tags in Pattern Lab component requests
SIEM Query:
Search for 'unified-twig-extensions' in deployment logs or dependency audit reports