Cyber Resilience

CVE-2025-31685

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0037 59.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31685 is a critical-severity Missing Authorization (CWE-862) vulnerability in Getopensocial Open Social. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-31685 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. It affects Open Social versions from 0.0.0 before 12.3.11 in the 12.3.x series and from 12.4.0 before 12.4.10 in the 12.4.x series. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), reflecting its critical severity with no confidentiality impact but high impacts on integrity and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. By engaging in forceful browsing, attackers bypass authorization controls, enabling them to achieve high integrity impact through unauthorized modifications and high availability impact, potentially disrupting services.

The Drupal security advisory SA-CONTRIB-2025-014 details the vulnerability and mitigation steps, recommending upgrades to Open Social 12.3.11 or later for the 12.3.x series and 12.4.10 or later for the 12.4.x series.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization vulnerability in public-facing Drupal Open Social web application allows remote unauthenticated forceful browsing to bypass controls, directly enabling exploitation of public-facing applications for initial access and unauthorized modifications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-31686Same product: Getopensocial Open Social
CVE-2024-13240Same product: Getopensocial Open Social
CVE-2024-13241Same product: Getopensocial Open Social
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862

Affected Assets

getopensocial
open social
≤ 12.3.11 · 12.4.0 — 12.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, preventing forceful browsing bypasses of missing authorization checks in Drupal Open Social.

prevent

Requires identification, reporting, and timely correction of flaws like this missing authorization vulnerability through patching to fixed Open Social versions.

prevent

Limits the scope of unauthorized modifications and disruptions from forceful browsing by employing least privilege principles alongside access enforcement.

References