CVE-2025-9549
📋 TL;DR
A missing authorization vulnerability in Drupal Facets allows attackers to access restricted content through forceful browsing. This affects Drupal sites using the Facets module for search filtering. All versions before 2.0.10 and 3.0.1 are vulnerable.
💻 Affected Systems
- Drupal Facets module
📦 What is this software?
Facets by Facets Project
Facets by Facets Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive content intended for authorized users only, potentially exposing confidential data or administrative interfaces.
Likely Case
Unauthorized users accessing content they shouldn't see, potentially violating data privacy regulations or exposing internal information.
If Mitigated
Limited impact if proper access controls and authentication mechanisms are already in place outside the module.
🎯 Exploit Status
Exploitation requires understanding of Drupal's URL structure and Facets implementation. No authentication needed to attempt exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.10 for Facets 2.x, 3.0.1 for Facets 3.x
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-099
Restart Required: No
Instructions:
1. Update Facets module via Drupal's update manager or Composer. 2. For Facets 2.x: Update to version 2.0.10. 3. For Facets 3.x: Update to version 3.0.1. 4. Clear Drupal cache after update.
🔧 Temporary Workarounds
Disable Facets module
allTemporarily disable the Facets module if immediate patching isn't possible
drush pm:disable facets
Implement access control at web server level
allAdd URL-based access restrictions for Facets-related paths
🧯 If You Can't Patch
- Implement additional authentication/authorization checks for Facets functionality
- Monitor access logs for unauthorized attempts to access Facets-related URLs
🔍 How to Verify
Check if Vulnerable:
Check Facets module version in Drupal's Extend page or via drush: drush pm:list | grep facetsCheck Version:
drush pm:list | grep facetsVerify Fix Applied:
Confirm Facets module version is 2.0.10 or higher for 2.x branch, or 3.0.1 or higher for 3.x branch📡 Detection & Monitoring
Log Indicators:
- Multiple 200/403 responses for Facets URLs from same IP
- Unauthorized access attempts to /facets/* paths
Network Indicators:
- Unusual patterns of requests to Facets endpoints
- Requests bypassing normal search workflows
SIEM Query:
web_access_logs WHERE (url_path LIKE '%/facets/%' OR url_path LIKE '%facet=%') AND response_code=200 GROUP BY source_ip HAVING count() > threshold