CVE-2025-13984
📋 TL;DR
This CVE describes a Cross-Site Scripting (XSS) vulnerability in Drupal Next.Js modules due to an overly permissive cross-domain security policy. Attackers can inject malicious scripts that execute in users' browsers when they visit affected pages. This affects Drupal sites using vulnerable versions of the Next.Js module.
💻 Affected Systems
- Drupal Next.Js module
📦 What is this software?
Next.js by Kanopi
Next.js by Kanopi
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites, potentially leading to complete account compromise.
Likely Case
Attackers inject malicious scripts to steal user session tokens or credentials, leading to unauthorized access to user accounts and potential data theft.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, the attack surface is reduced, though the vulnerability still exists in the code.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity. The advisory suggests the vulnerability allows script injection via untrusted domains.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.4 or 2.0.1
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-122
Restart Required: No
Instructions:
1. Update the Next.Js module to version 1.6.4 (for 1.x branch) or 2.0.1 (for 2.x branch). 2. Clear Drupal caches. 3. Verify the update applied correctly.
🔧 Temporary Workarounds
Implement Strict Content Security Policy
allAdd a restrictive CSP header to limit script execution to trusted sources only.
Add to .htaccess or web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';";
Disable Next.Js Module
allTemporarily disable the vulnerable module if immediate patching isn't possible.
drush pm-disable nextjs
Or disable via Drupal admin interface at /admin/modules
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to restrict script execution.
- Disable the Next.Js module entirely until patching is possible.
🔍 How to Verify
Check if Vulnerable:
Check the installed Next.Js module version via Drupal admin at /admin/modules or using drush: drush pm-list | grep nextjsCheck Version:
drush pm-list | grep nextjsVerify Fix Applied:
Confirm the module version is 1.6.4 or higher (for 1.x) or 2.0.1 or higher (for 2.x) using the same methods.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in user inputs or URL parameters in web server logs.
- Errors related to cross-domain policy violations in browser console logs.
Network Indicators:
- HTTP requests with suspicious script payloads in parameters.
- Unexpected cross-domain requests from the Drupal site.
SIEM Query:
web_access_logs AND (url_contains("<script") OR url_contains("javascript:"))