VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 31, 2025· Updated Apr 29, 2025

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

CVE-2025-31685

Description

Missing authorization in Drupal Open Social allows unauthorized users to access restricted content via forceful browsing, affecting versions before 12.3.11 and 12.4.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in Drupal Open Social allows unauthorized users to access restricted content via forceful browsing, affecting versions before 12.3.11 and 12.4.10.

CVE-2025-31685 is a missing authorization vulnerability in the Open Social distribution for Drupal. The issue resides in the language access check within the OpenSocial\LanguageAccess class. When the language service is not invoked with a permission parameter, the original code would grant access without verifying user permissions, allowing unauthorized users to access restricted routes [1].

Exploitation is achieved through forceful browsing—an attacker can directly navigate to protected endpoints without proper authentication or permission checks. The vulnerability does not require any special prerequisites beyond network access to the site [1]. The fix, shown in two identical commits [2][3], retrieves the required permission from the route object and applies proper access control.

The impact is information disclosure and potential bypass of access controls, enabling unauthorized viewing of content that should be restricted (e.g., private groups or posts). This could lead to data exposure and violation of access policies.

Mitigation is available by updating Open Social to version 12.3.11 or 12.4.10, which include the corrected access logic [1][2][3]. Users on earlier versions should upgrade immediately. No workarounds are documented beyond applying the patch.

References
  1. NVD - CVE-2025-31685
  2. When language service is not being called make sure to use the route … · goalgorilla/open_social@6ebeed0
  3. When language service is not being called make sure to use the route … · goalgorilla/open_social@52c531e

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
goalgorilla/open_socialPackagist
< 12.3.1112.3.11
goalgorilla/open_socialPackagist
>= 12.4.0, < 12.4.1012.4.10

Affected products

2

Patches

2
52c531e156fb

When language service is not being called make sure to use the route object

https://github.com/goalgorilla/open_socialRobert RagasFeb 12, 2025via ghsa
commit
1 file changed · +15 4
  • modules/custom/social_language/src/Access.php+15 4 modified
    @@ -7,6 +7,7 @@
 use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Session\AccountInterface;
+use Symfony\Component\Routing\Route;
 
 /**
  * Class Access.
@@ -49,12 +50,22 @@ public function __construct(LanguageManagerInterface $language_manager) {
    */
   public function access(RouteMatchInterface $route_match, AccountInterface $account, $permission = NULL) {
     if (count($this->languageManager->getLanguages()) > 1) {
-      if (!empty($permission)) {
-        return AccessResult::allowedIfHasPermission($account, $permission);
+      // If the permission is null the service was not called,
+      // and we should get it from the route object.
+      if (is_null($permission)) {
+        // Get route object.
+        $route = $route_match->getRouteObject();
+        assert($route instanceof Route);
+
+        // Get defined permission on _social_language_access.
+        $permission = $route->getRequirements()['_social_language_access'];
       }
-      else {
-        return AccessResult::allowed();
+
+      if (is_string($permission)) {
+        return AccessResult::allowedIfHasPermission($account, $permission);
       }
+
+      return AccessResult::neutral();
     }
 
     return AccessResult::forbidden();
6ebeed01c83d

When language service is not being called make sure to use the route object

https://github.com/goalgorilla/open_socialRobert RagasFeb 12, 2025via ghsa
commit
1 file changed · +15 4
  • modules/custom/social_language/src/Access.php+15 4 modified
    @@ -7,6 +7,7 @@
 use Drupal\Core\Routing\Access\AccessInterface;
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Session\AccountInterface;
+use Symfony\Component\Routing\Route;
 
 /**
  * Class Access.
@@ -49,12 +50,22 @@ public function __construct(LanguageManagerInterface $language_manager) {
    */
   public function access(RouteMatchInterface $route_match, AccountInterface $account, $permission = NULL) {
     if (count($this->languageManager->getLanguages()) > 1) {
-      if (!empty($permission)) {
-        return AccessResult::allowedIfHasPermission($account, $permission);
+      // If the permission is null the service was not called,
+      // and we should get it from the route object.
+      if (is_null($permission)) {
+        // Get route object.
+        $route = $route_match->getRouteObject();
+        assert($route instanceof Route);
+
+        // Get defined permission on _social_language_access.
+        $permission = $route->getRequirements()['_social_language_access'];
       }
-      else {
-        return AccessResult::allowed();
+
+      if (is_string($permission)) {
+        return AccessResult::allowedIfHasPermission($account, $permission);
       }
+
+      return AccessResult::neutral();
     }
 
     return AccessResult::forbidden();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.