Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core is vulnerable to PHP object injection via improperly controlled modification of dynamically-determined object attributes, enabling remote code execution when combined with another exploit.
Vulnerability
Overview
CVE-2025-31674 is a vulnerability in Drupal core that arises from an improperly controlled modification of dynamically-determined object attributes [2]. This flaw falls under the category of "Object Injection," specifically a PHP object injection vulnerability that can lead to arbitrary file inclusion and, when chained with other exploits, remote code execution [3].
Attack
Vector
The vulnerability is not directly exploitable on its own; it requires a separate bug in Drupal core or a contributed module that allows an attacker to pass unsanitized input to PHP's unserialize() function [3]. An attacker must first find such a separate exploit path to inject malicious serialized data, which then leverages the improper attribute modification to trigger object instantiation and subsequent code execution.
Impact
Successful exploitation of this gadget chain could allow an attacker to achieve arbitrary file inclusion and remote code execution, potentially leading to full site compromise, data theft, or site defacement [2][3]. The severity is rated as moderately critical by the Drupal security team, reflecting the need for a secondary vulnerability to be present.
Mitigation
Drupal has released patched versions to address this issue: upgrade to Drupal 10.3.13, 10.4.3, 11.0.12, or 11.1.3, depending on your branch [3]. Versions older than 10.3.x (including Drupal 8 and 9) are end-of-life and no longer receive security coverage, so users running those versions should upgrade to a supported release immediately. No workaround is provided beyond upgrading.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.13 | 10.3.13 |
drupal/corePackagist | >= 10.4.0, < 10.4.3 | 10.4.3 |
drupal/corePackagist | >= 11.0.0, < 11.0.12 | 11.0.12 |
drupal/corePackagist | >= 11.1.0, < 11.1.3 | 11.1.3 |
Affected products
4- Range: >=8.0.0 <10.3.13, >=10.4.0 <10.4.3, >=11.0.0 <11.0.12, >=11.1.0 <11.1.3
- osv-coords2 versions
>= 8.0.0, < 10.4.3+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.3
- (no CPE)range: >= 8.0.0, < 10.3.13
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2qph-q8xw-gv7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31674ghsaADVISORY
- www.drupal.org/sa-core-2025-003ghsaWEB
News mentions
1- Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003Drupal Security Advisories · Feb 19, 2025