CVE-2025-31686
Published: 31 March 2025
Summary
CVE-2025-31686 is a high-severity Missing Authorization (CWE-862) vulnerability in Getopensocial Open Social. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2025-31686 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. The issue affects Open Social versions from 0.0.0 before 12.3.11 and from 12.4.0 before 12.4.10.
Remote unauthenticated attackers with network access can exploit this vulnerability, which requires high attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-015 details the vulnerability. Sites should upgrade to Open Social 12.3.11 or 12.4.10, or later versions, to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9035
Vulnerability details
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization vulnerability in public-facing Drupal Open Social distribution directly enables forceful browsing by remote unauthenticated attackers, mapping to exploitation of public-facing web applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for logical access to information and system resources, directly addressing the missing authorization that enables forceful browsing in Drupal Open Social.
Mandates timely identification, reporting, and correction of the specific software flaw causing the missing authorization vulnerability, aligning with the recommended upgrade to patched Open Social versions.
Enforces strict access controls on publicly accessible web interfaces and services, preventing remote unauthenticated attackers from exploiting forceful browsing on Drupal-based systems.