Login Sign Up

CVE-2025-31674

7.5 HIGH

📋 TL;DR

This CVE describes an object injection vulnerability in Drupal core that allows attackers to modify dynamically-determined object attributes improperly. Attackers could potentially execute arbitrary code or manipulate application behavior. All Drupal sites running affected versions are vulnerable.

💻 Affected Systems

Products:
  • Drupal core
Versions: 8.0.0 to 10.3.12, 10.4.0 to 10.4.2, 11.0.0 to 11.0.11, 11.1.0 to 11.1.2
Operating Systems: All operating systems running Drupal
Default Config Vulnerable: ⚠️ Yes
Notes: All Drupal installations within affected version ranges are vulnerable regardless of configuration

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or site takeover

🟠

Likely Case

Privilege escalation, data manipulation, or denial of service

🟢

If Mitigated

Limited impact with proper input validation and security controls in place

🌐 Internet-Facing: HIGH - Drupal sites are typically internet-facing content management systems
🏢 Internal Only: MEDIUM - Internal Drupal instances could still be exploited by authenticated users

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Drupal's object handling and likely requires some level of access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.3.13, 10.4.3, 11.0.12, or 11.1.3

Vendor Advisory: https://www.drupal.org/sa-core-2025-003

Restart Required: No

Instructions:

1. Backup your Drupal site and database. 2. Update Drupal core to the patched version using Composer: 'composer update drupal/core-recommended --with-dependencies'. 3. Run database updates: 'drush updatedb' or via admin interface. 4. Clear all caches: 'drush cr' or via admin interface.

🔧 Temporary Workarounds

Input validation hardening

all

Implement additional input validation for user-controlled object attributes

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-controlled data
  • Restrict access to vulnerable Drupal instances using network segmentation or WAF rules

🔍 How to Verify

Check if Vulnerable:

Check Drupal version via admin interface at /admin/reports/status or run 'drush status'

Check Version:

drush status | grep 'Drupal version' or check /admin/reports/status

Verify Fix Applied:

Confirm version is 10.3.13+, 10.4.3+, 11.0.12+, or 11.1.3+ and test object attribute modification functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual object serialization/deserialization patterns
  • Unexpected PHP object creation in logs
  • Errors related to unserialize() or object manipulation

Network Indicators:

  • Unusual POST requests containing serialized objects
  • Requests to Drupal endpoints with unexpected object parameters

SIEM Query:

source="drupal.log" AND ("unserialize" OR "__wakeup" OR "__destruct") AND NOT status=200

📊 Metadata

CVE ID: CVE-2025-31674
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-915
EPSS Score: 1.04% exploit probability (77.1th percentile)
Published: March 31, 2025
Last Updated: May 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31674, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55636 9.8

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when un...

Same vulnerability type (CWE-915)
CVE-2024-55638 9.8

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data i...

Same vulnerability type (CWE-915)