CVE-2025-31691
Published: 31 March 2025
Summary
CVE-2025-31691 is a critical-severity Missing Authorization (CWE-862) vulnerability in Oauth2 Server Project Oauth2 Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31691 is a missing authorization vulnerability (CWE-862) in the Drupal OAuth2 Server module that enables forceful browsing. The issue affects all versions of the OAuth2 Server module from 0.0.0 up to but not including 2.1.0.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can leverage forceful browsing to bypass authorization controls, potentially achieving high impacts on confidentiality, integrity, and availability of the affected Drupal instance.
The Drupal security advisory SA-CONTRIB-2025-020, available at https://www.drupal.org/sa-contrib-2025-020, documents the vulnerability and provides guidance on mitigation, including upgrading to OAuth2 Server version 2.1.0 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9026
Vulnerability details
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a critical unauthenticated remote authorization bypass (forceful browsing) in a public-facing Drupal OAuth2 Server module, directly enabling exploitation of public-facing applications for initial access with high impact on confidentiality, integrity, and availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly mitigating the missing authorization vulnerability that enables unauthenticated forceful browsing in the Drupal OAuth2 Server module.
Requires timely identification, reporting, and remediation of flaws like CVE-2025-31691 by patching the OAuth2 Server module to version 2.1.0 or later.
Validates system inputs to block or reject unauthorized requests that exploit missing authorization checks during forceful browsing attempts.