CVE-2025-31677
Published: 31 March 2025
Summary
CVE-2025-31677 is a high-severity CSRF (CWE-352) vulnerability in Artificial Intelligence Project Artificial Intelligence. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires mechanisms such as CSRF tokens to protect session authenticity during state-changing operations, directly addressing the Drupal AI module's CSRF vulnerability.
Mandates timely remediation of identified flaws, such as upgrading the vulnerable Drupal AI module from versions before 1.0.2 to the patched 1.0.2 release.
Enforces validation of information inputs including CSRF tokens at system entry points to block forged requests exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in the Drupal AI module, part of a public-facing web application, enables adversaries to exploit it for initial access by forging authenticated requests on behalf of victims.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery.This issue affects AI (Artificial Intelligence): from 1.0.0 before 1.0.2.
Deeper analysisAI
CVE-2025-31677 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Drupal AI (Artificial Intelligence) contributed module. This flaw affects versions of the module from 1.0.0 up to but not including 1.0.2 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by unauthenticated attackers over the network with low complexity, requiring only user interaction such as a victim visiting a malicious webpage. Authenticated Drupal users with the AI module enabled are at risk; an attacker can trick them into performing unintended state-changing actions on the site via forged requests, potentially leading to high-impact compromises like unauthorized data access, modification, or denial of service.
The official Drupal security advisory SA-CONTRIB-2025-003 at https://www.drupal.org/sa-contrib-2025-003 details the issue and recommends upgrading to Drupal AI (Artificial Intelligence) version 1.0.2 or later, which resolves the CSRF protection deficiency. Site administrators should also review access controls for the module and ensure CSRF tokens are properly enforced on relevant endpoints.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Drupal AI is a module for the Drupal CMS platform that integrates AI functionalities, fitting under 'Other Platforms' as it is a web platform extension for AI rather than a core ML framework, library, or specific AI subdomain.