CVE-2025-31678
Published: 31 March 2025
Summary
CVE-2025-31678 is a high-severity Missing Authorization (CWE-862) vulnerability in Artificial Intelligence Project Artificial Intelligence. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing forceful browsing due to missing authorization in the Drupal AI module.
SC-14 controls and protects public access to system resources, mitigating unauthorized forceful browsing on publicly accessible Drupal web applications.
SI-2 requires timely identification, reporting, and correction of flaws, enabling patching of the vulnerable Drupal AI module to version 1.0.3 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in Drupal AI module enables forceful browsing, facilitating exploitation of a public-facing web application.
NVD Description
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.3.
Deeper analysisAI
CVE-2025-31678 is a missing authorization vulnerability, classified under CWE-862, in the Drupal AI (Artificial Intelligence) module that enables forceful browsing. This issue affects all versions of the AI module from 0.0.0 up to but excluding 1.0.3. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity primarily due to its potential for significant availability disruption.
Remote attackers require no privileges or user interaction and can exploit the flaw over the network with low attack complexity. Exploitation allows limited access to confidential information alongside high-impact denial of service, such as resource exhaustion or service disruption on affected Drupal sites running vulnerable AI module versions.
The official Drupal security advisory at https://www.drupal.org/sa-contrib-2025-004 details the issue and recommends updating the AI (Artificial Intelligence) module to version 1.0.3 or later as the primary mitigation.
This vulnerability occurs in a Drupal module handling artificial intelligence features, highlighting potential risks in AI-integrated web applications. No public information on real-world exploitation is available as of the CVE publication on 2025-03-31.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects 'Drupal AI (Artificial Intelligence)', a module for integrating AI functionalities into the Drupal CMS platform, fitting under 'Other Platforms' as it is a platform-specific AI extension rather than a core framework, library, or specialized AI tool.