CVE-2025-3737 – This vulnerability in the Drupal Google Maps: S... (How to Fix)

Q: What is the severity of CVE-2025-3737?

CVE-2025-3737 has a CVSS score of 5.9 (MEDIUM). This vulnerability in the Drupal Google Maps: Store Locator module allows attackers to execute arbitrary code on affected Drupal websites. All Drupal sites using any version of this contributed module are potentially vulnerable.

📋 TL;DR

This vulnerability in the Drupal Google Maps: Store Locator module allows attackers to execute arbitrary code on affected Drupal websites. All Drupal sites using any version of this contributed module are potentially vulnerable.

💻 Affected Systems

Products:

Drupal Google Maps: Store Locator module

Versions: *.* (all versions)

Operating Systems: All platforms running Drupal

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with this specific contributed module installed

📦 What is this software?

Store Locator Project by Google Maps\

View all CVEs affecting Store Locator Project →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing data theft, defacement, or ransomware deployment

🟠

Likely Case

Website defacement, data exfiltration, or installation of backdoors

🟢

If Mitigated

Limited impact if proper web application firewalls and intrusion detection are in place

🌐 Internet-Facing: HIGH - Public websites are directly exposed to exploitation attempts

🏢 Internal Only: MEDIUM - Internal systems could be compromised through phishing or internal attackers

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Based on CVSS score and Drupal security advisory classification

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version of the module

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-038

Restart Required: No

Instructions:

1. Log into Drupal admin panel. 2. Navigate to Extend > Update. 3. Check for available updates. 4. Update Google Maps: Store Locator module to latest version. 5. Clear Drupal cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the Google Maps: Store Locator module

drush pm:disable google_maps_store_locator

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious requests to the module
Restrict access to the affected module paths using .htaccess or server configuration

🔍 How to Verify

Check if Vulnerable:

Check if google_maps_store_locator module is installed via Drupal admin panel or drush pm:list

Check Version:

drush pm:list --type=module --filter=google_maps_store_locator

Verify Fix Applied:

Verify module version is updated in Drupal admin panel or using drush pm:list

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Google Maps Store Locator endpoints
PHP execution errors in web server logs

Network Indicators:

Suspicious traffic patterns to /google-maps-store-locator paths

SIEM Query:

web_server_logs WHERE (uri CONTAINS 'google-maps-store-locator' AND (status_code = 500 OR method = 'POST'))

📊 Metadata

CVE ID: CVE-2025-3737

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Score: 0.21% exploit probability (43.5th percentile)

Published: April 16, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2025-038 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON