Drupal Core Information Disclosure Flaw (CVE-2025-13083) Patched Across All Supported Branches
Drupal has released security updates for all supported branches to fix CVE-2025-13083, a moderately critical information disclosure vulnerability in the core system module that can leak private files via CDN caching.
The Drupal Security Team has published a security advisory (SA-CORE-2025-008) addressing CVE-2025-13083, an information disclosure vulnerability affecting Drupal core versions 8.0.0 through 11.2.7. The flaw resides in the core system module responsible for handling downloads of private and temporary files, as well as additional file schemes defined by contributed modules.
Under specific conditions, the system module may serve private or temporary files with an HTTP `Cache-Control: public` header when they should be marked as uncacheable. This misconfiguration can lead to sensitive files being cached by intermediary systems such as Varnish or content delivery networks (CDNs). An attacker who knows the file path could then request a cached copy that was originally accessed by a more-privileged user, potentially gaining access to information they should not be able to view.
The vulnerability is rated moderately critical with a CVSS-equivalent score of 10 out of 25 under Drupal's internal risk scoring system, which factors in attack complexity (complex), authentication (none required), confidentiality impact (some), integrity impact (none), exploitability (theoretical), and threat diversity (uncommon). The advisory notes that exploitation requires several conditions to align: Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme, an attacker must know to request a file previously accessed by a privileged user, and that file must still be cached.
Patches are now available for all supported Drupal branches. Administrators should update to Drupal 10.4.9, 10.5.6, 11.1.9, or 11.2.8 depending on their current version. Drupal 11.0.x, 10.3.x, and all earlier branches have reached end-of-life and no longer receive security coverage, meaning sites still running those versions remain vulnerable with no official fix.
The vulnerability was reported by Damien McKenna of the Drupal Security Team and fixed by a large group of contributors including Benji Fisher, Neil Drumm, Lee Rowlands, and others. The coordinated release was managed by catch, Lee Rowlands, Dave Long, Drew Webber, and Juraj Nemec.
This advisory follows a pattern of periodic Drupal core security releases. In May 2025, Drupal warned of an urgent core security patch for all supported branches, cautioning that exploits could be developed within hours or days of disclosure. While CVE-2025-13083 is rated only moderately critical and requires specific conditions to exploit, the widespread use of Drupal across government, enterprise, and educational websites means that even theoretical vulnerabilities in file handling deserve prompt attention. Administrators are advised to apply the patch and review their CDN and caching configurations to ensure private files are not inadvertently exposed.