CVE-2025-31674

CWE-915CWE-9136 documents5 sources
Severity
7.5HIGH
EPSS
0.8%
top 25.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal Drupal CoreDrupal DrupalDrupal Core
Timeline
PublishedMar 31
Latest updateApr 1

Description

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

Packagistdrupal/core8.0.010.3.13+3
CVEListV5drupal/drupal_core8.0.010.3.13+3
NVDdrupal/drupal8.0.010.3.13+3

🔴Vulnerability Details

4
GHSA
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability2025-04-01
OSV
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability2025-04-01
CVEList
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-0032025-03-31
OSV
CVE-2025-31674: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion2025-02-19

📋Vendor Advisories

1
Drupal
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-0032025-02-19
CVE-2025-31674 (HIGH CVSS 7.5) | Improperly Controlled Modification | cvebase.io