Drupal Core Cache Poisoning Vulnerability (CVE-2025-13080) Patched Across All Supported Branches
Drupal has released security updates for a moderately critical cache poisoning vulnerability (CVE-2025-13080) affecting all supported branches, allowing attackers to poison cached responses.
Drupal core has been patched against a cache poisoning vulnerability tracked as CVE-2025-13080, which carries a moderately critical severity rating of 13 out of 25 on the Drupal security risk scale. The flaw stems from a rarely used feature in an underlying library that allows certain attributes of incoming HTTP requests to be overridden. An attacker can abuse this functionality to cause Drupal to cache inappropriate response data, leading to legitimate requests receiving poisoned cached responses.
The impact of a successful cache poisoning attack can manifest in several ways, including broken rendering of some pages, unstyled or malformatted pages, and adverse impacts on client-side functionality. The vulnerability affects Drupal versions 8.0.0 through 10.4.8, 10.5.0 through 10.5.5, 11.0.0 through 11.1.8, and 11.2.0 through 11.2.7. Drupal 11.0.x, 10.3.x, and earlier branches are end-of-life and no longer receive security coverage.
While the underlying library's authors do not believe the feature is a source of vulnerabilities in other systems, Drupal's specific use of the library creates an implementation-specific vulnerability. The Drupal Security Team has hardened core to protect against this attack. The fix is included in the latest releases: Drupal 10.4.9, 10.5.6, 11.1.9, and 11.2.8.
The vulnerability was reported by Dragos Dumitrescu, yasser ALLAM, Nils Destoop, Sven Decabooter, and zhero. It was fixed by members of the Drupal Security Team including Alex Pott, catch, cilefen, Jen Lampton, Lee Rowlands, Dave Long, Drew Webber, Nils Destoop, Juraj Nemec, Ra Mänd, and Jess (xjm). The advisory was coordinated by catch, Greg Knaddison, Lee Rowlands, Dave Long, Drew Webber, Juraj Nemec, and Jess.
Administrators are strongly advised to update their Drupal installations to the patched versions immediately. As with all security updates, applying the patch promptly reduces the window of exposure to potential cache poisoning attacks. This advisory follows a pattern of Drupal issuing regular security updates to address vulnerabilities in its core and contributed modules.