Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core contains a gadget chain exploitable for remote code execution when combined with another vulnerability that allows untrusted deserialization.
Vulnerability
Overview
CVE-2025-13081 is an improperly controlled modification of dynamically-determined object attributes vulnerability in Drupal core, classified as an Object Injection issue [1][2]. The root cause is a chain of methods within Drupal core that, when combined with an insecure deserialization vulnerability, can be leveraged to achieve remote code execution [3].
Attack
Vector
This vulnerability is not directly exploitable on its own [3]. It requires a separate vulnerability that allows an attacker to pass unsafe input to the unserialize() function [3]. Once that precondition is met, the attacker can use the gadget chain to escalate the deserialization into code execution. Drupal core itself has no known deserialization vulnerabilities that would enable this chain [3].
Impact
An attacker who can trigger the gadget chain via an insecure deserialization can achieve remote code execution on the affected Drupal site [3]. This can lead to full compromise of the application and potentially the underlying server.
Mitigation
Drupal has released patches in versions 10.4.9, 10.5.6, 11.1.9, and 11.2.8 to address this issue [1][3]. All users running affected versions (Drupal core 8.0.0 through 10.4.8, 10.5.0 through 10.5.5, 11.0.0 through 11.1.8, or 11.2.0 through 11.2.7) should update immediately [2]. Drupal 8, 9, 10.3.x, and 11.0.x are end-of-life and no longer receive security coverage [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.4.9 | 10.4.9 |
drupal/corePackagist | >= 10.5.0, < 10.5.6 | 10.5.6 |
drupal/corePackagist | >= 11.0.0, < 11.1.9 | 11.1.9 |
drupal/corePackagist | >= 11.2.0, < 11.2.8 | 11.2.8 |
Affected products
2- Range: >=8.0.0, <10.4.9 || >=10.5.0, <10.5.6 || >=11.0.0, <11.1.9 || >=11.2.0, <11.2.8
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m6vv-vcj8-w8m7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13081ghsaADVISORY
- www.drupal.org/sa-core-2025-006ghsaWEB
News mentions
1- Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006Drupal Security Advisories · Nov 12, 2025