CVE-2025-9550 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2025-9550?

CVE-2025-9550 has a CVSS score of 6.1 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Drupal Facets allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites using the Facets module for search filtering and faceted navigation. Users with access to vulnerable Facets configurations could be targeted.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Drupal Facets allows attackers to inject malicious scripts into web pages viewed by other users. It affects Drupal sites using the Facets module for search filtering and faceted navigation. Users with access to vulnerable Facets configurations could be targeted.

💻 Affected Systems

Products:

Drupal Facets module

Versions: Facets 0.0.0 to 2.0.9, Facets 3.0.0 to 3.0.0

Operating Systems: All operating systems running Drupal

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Facets module enabled and configured.

📦 What is this software?

Facets by Facets Project

View all CVEs affecting Facets →

Facets by Facets Project

View all CVEs affecting Facets →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers with access to Facets configuration could inject scripts that steal user session data or perform limited malicious actions.

🟢

If Mitigated

With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerability still exists in the code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to Facets configuration or user input that isn't properly sanitized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Facets 2.0.10 or Facets 3.0.1

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-100

Restart Required: No

Instructions:

1. Update the Facets module via Drupal's update manager or Composer. 2. For Facets 2.x: Update to version 2.0.10. 3. For Facets 3.x: Update to version 3.0.1. 4. Clear Drupal caches after update.

🔧 Temporary Workarounds

Input Sanitization

all

Implement custom input validation and output encoding for Facets-related user inputs.

🧯 If You Can't Patch

Disable or remove the Facets module if not essential
Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check the Facets module version in Drupal's Extend page or via 'composer show drupal/facets'

Check Version:

drush pm-list | grep facets

Verify Fix Applied:

Confirm Facets version is 2.0.10 or higher for 2.x, or 3.0.1 or higher for 3.x

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Facets configuration pages
JavaScript payloads in URL parameters or form submissions

Network Indicators:

Suspicious script tags in HTTP requests to Facets endpoints

SIEM Query:

web_requests WHERE url CONTAINS 'facets' AND (body CONTAINS '<script>' OR params CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2025-9550

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17th percentile)

Published: October 10, 2025

Last Updated: January 5, 2026

🔗 References

https://www.drupal.org/sa-contrib-2025-100 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9550, you might also want to check these: