Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
Description
A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A moderately critical denial-of-service vulnerability in Drupal Core's Comment module allows attackers to trigger excessive allocation via crafted comment reply requests.
Vulnerability
Overview
CVE-2024-11941 describes a denial-of-service (DoS) vulnerability in Drupal Core caused by excessive resource allocation. The issue specifically resides in the Comment module, where users can reply to comments. Under certain conditions, an attacker can make crafted comment reply requests that lead to unbounded memory or processing consumption, resulting in a denial of service [3].
Attack
Vector and Prerequisites
The vulnerability is exploitable over the network without authentication, as the Comment module is commonly enabled and accessible to anonymous users. An attacker does not need any special privileges; they only need the ability to submit comment reply requests. The attack does not require user interaction beyond the initial request [2][3].
Impact
If successfully exploited, an attacker can cause the Drupal site to become unresponsive due to excessive resource allocation. This effectively denies service to legitimate users. The impact is limited to availability; there is no evidence of data integrity or confidentiality compromise [2][3].
Mitigation
Status
The Drupal Security Team has released patches for the affected versions. Users running Drupal 10.2.x prior to 10.2.2 must update to 10.2.2, and those on 10.1.x prior to 10.1.8 must update to 10.1.8. Versions of Drupal 10 before 10.1 are end-of-life and do not receive security updates. Sites that do not use the Comment module are not affected [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 10.1.0, < 10.1.8 | 10.1.8 |
drupal/corePackagist | >= 10.2.0, < 10.2.2 | 10.2.2 |
Affected products
4- Range: >=10.2.0 <10.2.2, >=10.1.0 <10.1.8
- osv-coords2 versions
>= 8.0.0, < 10.2.4+ 1 more
- (no CPE)range: >= 8.0.0, < 10.2.4
- (no CPE)range: >= 10.1.0, < 10.1.8
- Drupal/Drupal Corev5Range: 10.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xq54-x54m-vcpxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-11941ghsaADVISORY
- www.drupal.org/sa-core-2024-001ghsaWEB
News mentions
1- Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001Drupal Security Advisories · Jan 17, 2024