Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Drupal core allows attackers to inject arbitrary JavaScript via insufficiently filtered error messages, affecting multiple branches.
Vulnerability
The vulnerability is a reflected Cross-Site Scripting (XSS) issue in Drupal core, stemming from improper neutralization of user input during web page generation [2]. According to the Drupal security advisory, the core software does not sufficiently filter error messages under certain circumstances, leading to the XSS flaw [3].
Exploitation
An attacker can exploit this by crafting a malicious link that triggers a specially constructed error message, causing the Drupal site to reflect arbitrary JavaScript code in the response. No authentication is explicitly required; the attack is remote and can be delivered via a crafted URL, though Drupal's advisory notes that exploit details may become public soon [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, content injection, or defacement, potentially compromising user data and the integrity of the Drupal site [3].
Mitigation
Drupal has released patched versions: 10.3.13, 10.4.3, 11.0.12, and 11.1.3 [3]. Sites using Drupal Steward are protected, but upgrading is strongly recommended. Drupal versions before 10.3 are end-of-life and no longer receive security coverage [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.13 | 10.3.13 |
drupal/corePackagist | >= 10.4.0, < 10.4.3 | 10.4.3 |
drupal/corePackagist | >= 11.0.0, < 11.0.12 | 11.0.12 |
drupal/corePackagist | >= 11.1.0, < 11.1.3 | 11.1.3 |
Affected products
4- Range: >=8.0.0 <10.3.13, >=10.4.0 <10.4.3, >=11.0.0 <11.0.12, >=11.1.0 <11.1.3
- osv-coords2 versions
>= 8.0.0, < 10.4.3+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.3
- (no CPE)range: >= 8.0.0, < 10.3.13
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-39g6-x4x8-5jcmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3057ghsaADVISORY
- www.drupal.org/sa-core-2025-001ghsaWEB
News mentions
1- Drupal core - Critical - Cross site scripting - SA-CORE-2025-001Drupal Security Advisories · Feb 19, 2025