Cyber Resilience

CVE-2025-31691

Critical

Published: 31 March 2025

Published
31 March 2025
Modified
02 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31691 is a critical-severity Missing Authorization (CWE-862) vulnerability in Oauth2 Server Project Oauth2 Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-31691 is a missing authorization vulnerability (CWE-862) in the Drupal OAuth2 Server module that enables forceful browsing. The issue affects all versions of the OAuth2 Server module from 0.0.0 up to but not including 2.1.0.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can leverage forceful browsing to bypass authorization controls, potentially achieving high impacts on confidentiality, integrity, and availability of the affected Drupal instance.

The Drupal security advisory SA-CONTRIB-2025-020, available at https://www.drupal.org/sa-contrib-2025-020, documents the vulnerability and provides guidance on mitigation, including upgrading to OAuth2 Server version 2.1.0 or later.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing.This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a critical unauthenticated remote authorization bypass (forceful browsing) in a public-facing Drupal OAuth2 Server module, directly enabling exploitation of public-facing applications for initial access with high impact on confidentiality, integrity, and availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

oauth2 server project
oauth2 server
≤ 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly mitigating the missing authorization vulnerability that enables unauthenticated forceful browsing in the Drupal OAuth2 Server module.

prevent

Requires timely identification, reporting, and remediation of flaws like CVE-2025-31691 by patching the OAuth2 Server module to version 2.1.0 or later.

prevent

Validates system inputs to block or reject unauthorized requests that exploit missing authorization checks during forceful browsing attempts.

References