Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008
Description
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core improperly sets Cache-Control: public on private files, allowing unauthorized users to access cached sensitive data cached by shared proxies.
Vulnerability
Overview
CVE-2025-13083 is an information disclosure vulnerability in Drupal core's system module, which handles downloads of private and temporary files. The root cause is a use of web browser cache containing sensitive information vulnerability, where files served by Drupal may be incorrectly assigned the HTTP header Cache-Control: public when they should be uncacheable. This misconfiguration allows sensitive data to be stored in shared across users via shared caching layers such as Varnish or a CDN [3].
Exploitation
Conditions
Exploitation requires several conditions to be met. First, Drupal must be configured to handle non-public files using a custom or contributed module that provides an additional file scheme. Second, an attacker must know to request a specific file that has previously been requested by a more-privileged user, and that file must still be present in the cache [3]. The attack does not require authentication, but relies on the attacker being able to guess or discover the file path.
Impact
If successfully exploited, an attacker can retrieve cached versions of files that contain information they should not be able to access. This could include private documents, user data, or other sensitive content that was intended to be restricted to authorized users only [3].
Mitigation
The vulnerability affects Drupal core versions from 8.0.0 before 10.4.9, 10.5.0 before 10.5.6, 11.0.0 before 11.1.9, 11.2.0 before 11.2.8, and 7.0 before 7.103 [2]. The Drupal Security Team has released patches in the latest versions of each supported branch: 10. Users are strongly advised to update to Drupal 10.4.9, 10.5.6, 11.1.9, or 11.2.8 as appropriate. Older branches such as Drupal 11.0.x, 10.3.x, and below are end-of-life and do not receive security coverage [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.4.9 | 10.4.9 |
drupal/corePackagist | >= 10.5.0, < 10.5.6 | 10.5.6 |
drupal/corePackagist | >= 11.0.0, < 11.1.9 | 11.1.9 |
drupal/corePackagist | >= 11.2.0, < 11.2.8 | 11.2.8 |
drupal/corePackagist | >= 7.0, < 7.103 | 7.103 |
Affected products
2- Range: >=7.0, <7.103; >=8.0.0, <10.4.9; >=10.5.0, <10.5.6; >=11.0.0, <11.1.9; >=11.2.0, <11.2.8
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mhpg-hpj5-73r2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13083ghsaADVISORY
- www.drupal.org/sa-core-2025-008ghsaWEB
News mentions
1- Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008Drupal Security Advisories · Nov 12, 2025