CVE-2025-31685
Published: 31 March 2025
Summary
CVE-2025-31685 is a critical-severity Missing Authorization (CWE-862) vulnerability in Getopensocial Open Social. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31685 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. It affects Open Social versions from 0.0.0 before 12.3.11 in the 12.3.x series and from 12.4.0 before 12.4.10 in the 12.4.x series. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity with no confidentiality impact but high impacts on integrity and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By engaging in forceful browsing, attackers bypass authorization controls, enabling them to achieve high integrity impact through unauthorized modifications and high availability impact, potentially disrupting services.
The Drupal security advisory SA-CONTRIB-2025-014 details the vulnerability and mitigation steps, recommending upgrades to Open Social 12.3.11 or later for the 12.3.x series and 12.4.10 or later for the 12.4.x series.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9038
Vulnerability details
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization vulnerability in public-facing Drupal Open Social web application allows remote unauthenticated forceful browsing to bypass controls, directly enabling exploitation of public-facing applications for initial access and unauthorized modifications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for access to system resources, preventing forceful browsing bypasses of missing authorization checks in Drupal Open Social.
Requires identification, reporting, and timely correction of flaws like this missing authorization vulnerability through patching to fixed Open Social versions.
Limits the scope of unauthorized modifications and disruptions from forceful browsing by employing least privilege principles alongside access enforcement.