Drupal Core Security
Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.
In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
This vulnerability is mitigated by the following:
- Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
- An attacker must know to request a file that has previously been
requested by a more-privileged user, and that file must still be cached.
Install the latest version:
- If you are using Drupal 10.4, update to Drupal 10.4.9.
- If you are using Drupal 10.5, update to Drupal 10.5.6.
- If you are using Drupal 11.1, update to Drupal 11.1.9.
- If you are using Drupal 11.2, update to Drupal 11.2.8.
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:- Damien McKenna (damienmckenna) of the Drupal Security Team
- tame4tex
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Mingsong (mingsong), provisional member of the Drupal Security Team
- Mohit Aghera (mohit_aghera)
- James Gilliland (neclimdul) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Drupal core - Moderately critical - Defacement - SA-CORE-2025-007
By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.
The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.
Solution:Install the latest version:
- If you are using Drupal 10.4, update to Drupal 10.4.9.
- If you are using Drupal 10.5, update to Drupal 10.5.6.
- If you are using Drupal 11.1, update to Drupal 11.1.9.
- If you are using Drupal 11.2, update to Drupal 11.2.8.
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Benji Fisher (benjifisher) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Mingsong (mingsong), provisional member of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
Solution:Install the latest version:
- If you are using Drupal 10.4, update to Drupal 10.4.9.
- If you are using Drupal 10.5, update to Drupal 10.5.6.
- If you are using Drupal 11.1, update to Drupal 11.1.9.
- If you are using Drupal 11.2, update to Drupal 11.2.8.
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By:- Anna Kalata (akalata), provisional member of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).
This could be exploited in various ways:
- Broken rendering of some pages
- Unstyled or malformatted pages
- Adverse impacts on client-side functionality
Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's use of library leads to an implementation-specific vulnerability, so we've issued this advisory and reserved a CVE ID for the vulnerability in Drupal.
Solution:Install the latest version:
- If you are using Drupal 10.4, update to Drupal 10.4.9.
- If you are using Drupal 10.5, update to Drupal 10.5.6.
- If you are using Drupal 11.1, update to Drupal 11.1.9.
- If you are using Drupal 11.2, update to Drupal 11.2.8.
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:- Dragos Dumitrescu (dragos-dumi)
- yasser ALLAM (inzo_)
- Nils Destoop (nils.destoop)
- Sven Decabooter (svendecabooter)
- zhero
- Alex Pott (alexpott) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Jen Lampton (jenlampton), provisional member of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Nils Destoop (nils.destoop)
- Juraj Nemec (poker10) of the Drupal Security Team
- Ra Mänd (ram4nd), provisional member of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
Neue Kommentare
vor 1 Tag 17 Stunden
vor 2 Tagen 9 Stunden
vor 7 Wochen 6 Tagen
vor 8 Wochen 7 Stunden
vor 8 Wochen 1 Tag
vor 8 Wochen 5 Tagen
vor 8 Wochen 5 Tagen
vor 9 Wochen 2 Tagen
vor 9 Wochen 2 Tagen
vor 9 Wochen 2 Tagen