CVE-2025-31674
Published: 31 March 2025
Summary
CVE-2025-31674 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Drupal Drupal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching Drupal core to fixed versions directly eliminates the object injection vulnerability.
Information input validation prevents malicious payloads from exploiting the improper control of dynamically-determined object attributes leading to injection.
Access enforcement mechanisms restrict unauthorized modifications of dynamically-determined object attributes, mitigating the core issue of improper control.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables network-based object injection in public-facing Drupal web app with low-priv auth, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to achieve high C/I/A impact.
NVD Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Deeper analysisAI
CVE-2025-31674 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal core that enables object injection. It affects Drupal core versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The vulnerability is associated with CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), carrying a CVSS v3.1 base score of 7.5 (High) with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows arbitrary object injection, potentially leading to high-impact confidentiality, integrity, and availability violations on the affected Drupal instance.
The official Drupal security advisory SA-CORE-2025-003, available at https://www.drupal.org/sa-core-2025-003, details mitigation through upgrading to the patched versions: Drupal core 10.3.13, 10.4.3, 11.0.12, or 11.1.3, depending on the supported branch.
Details
- CWE(s)