CVE-2025-31674

Published: Mar 31, 2025Modified: May 1, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

Affected (4)

Products: Drupal: Drupal

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Drupal Drupal	From 10.4.0 to 10.4.3
Drupal Drupal	From 11.0.0 to 11.0.12
Drupal Drupal	From 11.1.0 to 11.1.3
Drupal Drupal	From 8.0.0 to 10.3.13

Related CWEs

Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

References (1)

https://www.drupal.org/sa-core-2025-003

Source: mlhess@drupal.org

Vendor Advisory

Timeline

No history available yet.