CVE-2025-8675
📋 TL;DR
This Server-Side Request Forgery (SSRF) vulnerability in Drupal's AI SEO Link Advisor module allows attackers to make unauthorized requests from the server to internal or external systems. It affects all Drupal sites using AI SEO Link Advisor versions before 1.0.6. Attackers could potentially access internal services, perform port scanning, or interact with cloud metadata services.
💻 Affected Systems
- Drupal AI SEO Link Advisor
📦 What is this software?
Ai Seo Link Advisor by Ai Seo Link Advisor Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, cloud metadata (potentially obtaining credentials), perform port scanning of internal networks, or use the server as a proxy for attacks against other systems.
Likely Case
Information disclosure from internal services, reconnaissance of internal network, or abuse of server resources for scanning external targets.
If Mitigated
Limited impact if network segmentation restricts server access to sensitive internal services and cloud metadata endpoints are protected.
🎯 Exploit Status
SSRF vulnerabilities typically have low exploitation complexity, especially when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.6
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-095
Restart Required: No
Instructions:
1. Update AI SEO Link Advisor module to version 1.0.6 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify the module is functioning correctly after update.
🔧 Temporary Workarounds
Disable AI SEO Link Advisor Module
allTemporarily disable the vulnerable module until patching is possible
drush pm:disable ai_seo_link_advisor
Network Segmentation
allRestrict outbound HTTP/HTTPS connections from web servers to only necessary external services
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SSRF patterns in requests
- Deploy network controls to restrict web server outbound connections to internal networks and cloud metadata endpoints
🔍 How to Verify
Check if Vulnerable:
Check Drupal's module list for AI SEO Link Advisor version. If version is between 0.0.0 and 1.0.5, the site is vulnerable.Check Version:
drush pm:list | grep ai_seo_link_advisorVerify Fix Applied:
Confirm AI SEO Link Advisor module version is 1.0.6 or higher in Drupal's module administration page.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP ranges, localhost, or cloud metadata endpoints
- Multiple failed connection attempts to various ports from web server
Network Indicators:
- HTTP requests from web server to internal services that shouldn't be accessed
- Requests to 169.254.169.254 (AWS metadata), 169.254.169.253 (Azure), or similar cloud metadata endpoints
SIEM Query:
source="web_server_logs" AND (uri CONTAINS "http://" OR uri CONTAINS "https://") AND (dest_ip IN (RFC1918_RANGES) OR dest_ip="169.254.169.254" OR dest_ip="169.254.169.253")