Cyber Resilience

CVE-2025-31674

High

Published: 31 March 2025

Published
31 March 2025
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31674 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Drupal Drupal. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-31674 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability, also described as enabling object injection, that affects Drupal core. The issue impacts versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3, and carries a CVSS 3.1 score of 7.5.

An authenticated attacker with low privileges can supply crafted input over the network to modify object attributes, achieving high impact on confidentiality, integrity, and availability. The attack requires some complexity but no user interaction.

The official advisory at https://www.drupal.org/sa-core-2025-003 addresses the flaw and directs administrators to apply the listed patches that bring installations to 10.3.13, 10.4.3, 11.0.12, or 11.1.3 or later.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0104, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability enables network-based object injection in public-facing Drupal web app with low-priv auth, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to achieve high C/I/A impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9082Same product: Drupal Drupal
CVE-2025-31692Same product class: CMS core
CVE-2025-24411Same product class: CMS core
CVE-2025-24434Same product class: CMS core
CVE-2026-48898Same product class: CMS core
CVE-2026-35221Same product class: CMS core
CVE-2026-48904Same product class: CMS core
CVE-2026-34646Same product class: CMS core
CVE-2026-48899Same product class: CMS core
CVE-2026-34645Same product class: CMS core

Affected Assets

drupal
drupal
8.0.0 — 10.3.13 · 10.4.0 — 10.4.3 · 11.0.0 — 11.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching Drupal core to fixed versions directly eliminates the object injection vulnerability.

prevent

Information input validation prevents malicious payloads from exploiting the improper control of dynamically-determined object attributes leading to injection.

prevent

Access enforcement mechanisms restrict unauthorized modifications of dynamically-determined object attributes, mitigating the core issue of improper control.

References