CVE-2025-31674
Published: 31 March 2025
Summary
CVE-2025-31674 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Drupal Drupal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31674 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability, also described as enabling object injection, that affects Drupal core. The issue impacts versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3, and carries a CVSS 3.1 score of 7.5.
An authenticated attacker with low privileges can supply crafted input over the network to modify object attributes, achieving high impact on confidentiality, integrity, and availability. The attack requires some complexity but no user interaction.
The official advisory at https://www.drupal.org/sa-core-2025-003 addresses the flaw and directs administrators to apply the listed patches that bring installations to 10.3.13, 10.4.3, 11.0.12, or 11.1.3 or later.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0104, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9049
Vulnerability details
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables network-based object injection in public-facing Drupal web app with low-priv auth, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to achieve high C/I/A impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through patching Drupal core to fixed versions directly eliminates the object injection vulnerability.
Information input validation prevents malicious payloads from exploiting the improper control of dynamically-determined object attributes leading to injection.
Access enforcement mechanisms restrict unauthorized modifications of dynamically-determined object attributes, mitigating the core issue of improper control.