Login Sign Up

CVE-2025-13081

5.9 MEDIUM

📋 TL;DR

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperly. It affects Drupal sites running vulnerable versions, potentially leading to arbitrary code execution or data manipulation. All Drupal installations within the specified version ranges are affected.

💻 Affected Systems

Products:
  • Drupal core
Versions: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Drupal installations within these version ranges are vulnerable regardless of configuration.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or site defacement.

🟠

Likely Case

Privilege escalation, data manipulation, or denial of service through object injection.

🟢

If Mitigated

Limited impact if proper input validation and access controls are enforced, though object injection could still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Drupal's object handling and likely requires some level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.4.9, 10.5.6, 11.1.9, 11.2.8

Vendor Advisory: https://www.drupal.org/sa-core-2025-006

Restart Required: No

Instructions:

1. Backup your Drupal site. 2. Update Drupal core to the patched version using Composer: 'composer update drupal/core-recommended --with-dependencies'. 3. Clear caches: 'drush cr' or via admin interface. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Input validation hardening

all

Implement strict input validation on all user-controlled data that could affect object attributes.

🧯 If You Can't Patch

  • Implement strict WAF rules to block suspicious object manipulation patterns.
  • Restrict access to vulnerable Drupal instances to trusted networks only.

🔍 How to Verify

Check if Vulnerable:

Check Drupal version via admin interface at /admin/reports/status or using 'drush status' command.

Check Version:

drush status | grep 'Drupal version' or check /admin/reports/status

Verify Fix Applied:

Confirm Drupal version is 10.4.9+, 10.5.6+, 11.1.9+, or 11.2.8+.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP object serialization errors
  • Unexpected class instantiation in logs
  • Failed unserialize operations

Network Indicators:

  • HTTP requests with serialized object payloads
  • Unusual POST data patterns

SIEM Query:

source="drupal.log" AND ("unserialize" OR "__wakeup" OR "__destruct")

📊 Metadata

CVE ID: CVE-2025-13081
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-915
EPSS Score: 0.16% exploit probability (37.2th percentile)
Published: November 18, 2025
Last Updated: November 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13081, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55636 9.8

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when un...

Same vulnerability type (CWE-915)
CVE-2024-55638 9.8

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data i...

Same vulnerability type (CWE-915)