Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

Vulnerability

Overview CVE-2025-48444 is a missing authorization vulnerability in the Drupal Quick Node Block module, which provides a block to display a rendered node. The module fails to check access permissions before displaying content, allowing unauthorized users to retrieve a list of labels of all nodes [2]. This issue affects versions from 0.0.0 before 2.0.0.

Exploitation

Exploitation requires no authentication or special privileges. An attacker can simply visit a page that uses the Quick Node Block and may be able to forcefully browse node labels through the block's output [1][2]. The attack is classified as forceful browsing, where an attacker can access resources without proper authorization.

Impact

An unauthorized user can enumerate the labels of all nodes on the site, which may expose sensitive information such as titles of unpublished content, node names, or other metadata. This information disclosure could aid in further attacks or violate data privacy.

Mitigation

The vulnerability is fixed in Quick Node Block version 2.0.0. Users are advised to update to the latest version immediately. No workaround is provided other than updating the module [2].