CVE-2025-31674
published 2025-03-31CVE-2025-31674: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects…
PriorityP347high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
0.50%
39.0th percentile
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | core | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | core | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | core | >= 8.0.0 < 10.3.13 | 10.3.13 |
| drupal | drupal | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | drupal | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | drupal | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | drupal | >= 8.0.0 < 10.3.13 | 10.3.13 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.4.0 < 10.4.3 | 10.4.3 |
| drupal | drupal_core | >= 11.0.0 < 11.0.12 | 11.0.12 |
| drupal | drupal_core | >= 11.1.0 < 11.1.3 | 11.1.3 |
| drupal | drupal_core | >= 8.0.0 < 10.3.13 | 10.3.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
ghsa·2025-04-01
CVE-2025-31674 [MEDIUM] CWE-913 Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
OSV
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
osv·2025-04-01
CVE-2025-31674 [MEDIUM] Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
OSV
CVE-2025-31674: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion
osv·2025-02-19
CVE-2025-31674 CVE-2025-31674: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
Drupal
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
vendor_drupal·2025-02-19
CVE-2025-31674 [MEDIUM] Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Title: Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Vulnerability Type: Gadget Chain
Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core.
Solution: Install the latest version: If you use Drupal 10.3.x, update to Drupal 10.3.13 If you use Drupal 10.4.x, update to Drupal 10.4.3 If you use Drupal 11.0.x, update to Drupal 11.0.12 If you use D
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-31
Published