Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Description
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core contains a cache poisoning vulnerability due to improper handling of HTTP request attributes, allowing forceful browsing.
Vulnerability
Overview
CVE-2025-13080 is an improper check for unusual or exceptional conditions vulnerability in Drupal core that enables forceful browsing. The root cause is a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This flaw can cause Drupal to cache response data that it should not, leading to cache poisoning. [2][3]
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP requests that manipulate the attribute override functionality. Successful exploitation does not require authentication and can be performed over the network, as the feature is intended for legitimate use but lacks proper validation. The attacker can force the server to cache inappropriate responses that are then served to other users. [3]
Impact
The cache poisoning can result in various adverse effects, including broken rendering of some pages, unstyled or malformatted output, and negative impacts on client-side functionality. This can degrade the user experience and potentially be used for further attacks, such as delivering malicious content to unsuspecting users. [3]
Mitigation
Drupal has released security updates to address this vulnerability. Users should upgrade to Drupal 10.4.9, 10.5.6, 11.1.9, or 11.2.8, depending on their current version. Versions prior to 10.4.0, 10.5.0, 11.1.0, and 11.2.0 are end-of-life and should be updated to a supported release. [3]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.4.9 | 10.4.9 |
drupal/corePackagist | >= 10.5.0, < 10.5.6 | 10.5.6 |
drupal/corePackagist | >= 11.0.0, < 11.1.9 | 11.1.9 |
drupal/corePackagist | >= 11.2.0, < 11.2.8 | 11.2.8 |
Affected products
2- Range: >=8.0.0, <10.4.9; >=10.5.0, <10.5.6; >=11.0.0, <11.1.9; >=11.2.0, <11.2.8
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-83v7-c2cf-p9c2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13080ghsaADVISORY
- www.drupal.org/sa-core-2025-005ghsaWEB
News mentions
1- Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005Drupal Security Advisories · Nov 12, 2025