CVE-2025-31695
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into Drupal websites using the Link field display mode formatter module. When exploited, it enables cross-site scripting (XSS) attacks that can steal user sessions, deface websites, or redirect users to malicious sites. All Drupal sites using vulnerable versions of this contributed module are affected.
💻 Affected Systems
- Drupal Link field display mode formatter module
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take full control of the Drupal site, install backdoors, or compromise user data through session hijacking.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing sites, or deface website content visible to other users.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential data leakage from the specific vulnerable field only.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity and can be exploited by unauthenticated users if the vulnerable field is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-024
Restart Required: No
Instructions:
1. Update the Link field display mode formatter module to version 1.6.0 or later via Drupal's update manager. 2. Clear Drupal caches after update. 3. Verify the update was successful by checking module version.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the Link field display mode formatter module until patching is possible
drush pm-disable link_field_display_mode_formatter
Apply input filtering
allImplement custom input validation for link field inputs to sanitize malicious scripts
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in link fields
- Restrict access to content editing interfaces to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if the Link field display mode formatter module is installed and its version is below 1.6.0 via Drupal's Extend page or using drush: drush pm-list | grep link_field_display_mode_formatterCheck Version:
drush pm-list --fields=name,version | grep link_field_display_mode_formatterVerify Fix Applied:
Verify module version is 1.6.0 or higher and test link field inputs with basic XSS payloads like <script>alert('test')</script>📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags to link field endpoints
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Outbound connections to suspicious domains from your Drupal site
- Unexpected JavaScript execution in link field contexts
SIEM Query:
web_server_logs WHERE (url_path CONTAINS '/node/add' OR url_path CONTAINS '/node/edit') AND request_body CONTAINS '<script'