Cyber Resilience

CVE-2025-31686

High

Published: 31 March 2025

Published
31 March 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31686 is a high-severity Missing Authorization (CWE-862) vulnerability in Getopensocial Open Social. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2025-31686 is a missing authorization vulnerability (CWE-862) in the Drupal Open Social distribution that allows forceful browsing. The issue affects Open Social versions from 0.0.0 before 12.3.11 and from 12.4.0 before 12.4.10.

Remote unauthenticated attackers with network access can exploit this vulnerability, which requires high attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Drupal security advisory at https://www.drupal.org/sa-contrib-2025-015 details the vulnerability. Sites should upgrade to Open Social 12.3.11 or 12.4.10, or later versions, to mitigate the issue.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing.This issue affects Open Social: from 0.0.0 before 12.3.11, from 12.4.0 before 12.4.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization vulnerability in public-facing Drupal Open Social distribution directly enables forceful browsing by remote unauthenticated attackers, mapping to exploitation of public-facing web applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-31685Same product: Getopensocial Open Social
CVE-2024-13240Same product: Getopensocial Open Social
CVE-2024-13241Same product: Getopensocial Open Social
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862

Affected Assets

getopensocial
open social
≤ 12.3.11 · 12.4.0 — 12.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for logical access to information and system resources, directly addressing the missing authorization that enables forceful browsing in Drupal Open Social.

prevent

Mandates timely identification, reporting, and correction of the specific software flaw causing the missing authorization vulnerability, aligning with the recommended upgrade to patched Open Social versions.

prevent

Enforces strict access controls on publicly accessible web interfaces and services, preventing remote unauthenticated attackers from exploiting forceful browsing on Drupal-based systems.

References