CVE-2025-13081 - Vulnerability Details - OpenCVE

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Drupal	Drupal Drupal Core

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

No data.

References

Link	Providers
https://www.drupal.org/sa-core-2025-006

History

Mon, 24 Nov 2025 17:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:drupal:drupal::::::::

Wed, 19 Nov 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Drupal Drupal drupal Drupal drupal Core
Vendors & Products		Drupal Drupal drupal Drupal drupal Core

Tue, 18 Nov 2025 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-502
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 18 Nov 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description		Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Title		Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006
Weaknesses		CWE-915
References		https://www.drupal.org/sa-core-2025-006

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2025-11-18T16:54:56.214Z

Updated: 2025-11-19T04:55:19.564Z

Reserved: 2025-11-12T18:26:37.184Z

Link: CVE-2025-13081

Vulnrichment

Updated: 2025-11-18T17:25:30.772Z

NVD

Status : Analyzed

Published: 2025-11-18T17:15:58.987

Modified: 2025-11-24T17:43:15.717

Link: CVE-2025-13081

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13081", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2025-11-12T18:26:37.184Z", "datePublished": "2025-11-18T16:54:56.214Z", "dateUpdated": "2025-11-19T04:55:19.564Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected", "product": "Drupal core", "repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "versions": [{"lessThan": "10.4.9", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThan": "10.5.6", "status": "affected", "version": "10.5.0", "versionType": "semver"}, {"lessThan": "11.1.9", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"lessThan": "11.2.8", "status": "affected", "version": "11.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "anzuukino"}, {"lang": "en", "type": "remediation developer", "value": "Anna Kalata (akalata)"}, {"lang": "en", "type": "remediation developer", "value": "catch (catch)"}, {"lang": "en", "type": "remediation developer", "value": "Neil Drumm (drumm)"}, {"lang": "en", "type": "remediation developer", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "remediation developer", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "remediation developer", "value": "Ra M\u00c3\u00a4nd (ram4nd)"}, {"lang": "en", "type": "remediation developer", "value": "Jess (xjm)"}, {"lang": "en", "type": "coordinator", "value": "catch (catch)"}, {"lang": "en", "type": "coordinator", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "coordinator", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "datePublic": "2025-11-12T18:34:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.<p>This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.</p>"}], "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-11-18T16:54:56.214Z"}, "references": [{"url": "https://www.drupal.org/sa-core-2025-006"}], "source": {"discovery": "UNKNOWN"}, "title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-13081"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T04:55:19.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-13081", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-18T17:26:17.062112Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T17:25:30.772Z"}}], "cna": {"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "anzuukino"}, {"lang": "en", "type": "remediation developer", "value": "Anna Kalata (akalata)"}, {"lang": "en", "type": "remediation developer", "value": "catch (catch)"}, {"lang": "en", "type": "remediation developer", "value": "Neil Drumm (drumm)"}, {"lang": "en", "type": "remediation developer", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "remediation developer", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "remediation developer", "value": "Ra M\u00c3\u00a4nd (ram4nd)"}, {"lang": "en", "type": "remediation developer", "value": "Jess (xjm)"}, {"lang": "en", "type": "coordinator", "value": "catch (catch)"}, {"lang": "en", "type": "coordinator", "value": "Lee Rowlands (larowlan)"}, {"lang": "en", "type": "coordinator", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/drupal", "vendor": "Drupal", "product": "Drupal core", "versions": [{"status": "affected", "version": "8.0.0", "lessThan": "10.4.9", "versionType": "semver"}, {"status": "affected", "version": "10.5.0", "lessThan": "10.5.6", "versionType": "semver"}, {"status": "affected", "version": "11.0.0", "lessThan": "11.1.9", "versionType": "semver"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.8", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/drupal", "defaultStatus": "unaffected"}], "datePublic": "2025-11-12T18:34:00.000Z", "references": [{"url": "https://www.drupal.org/sa-core-2025-006"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.", "supportingMedia": [{"type": "text/html", "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.<p>This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2025-11-18T16:54:56.214Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13081", "state": "PUBLISHED", "dateUpdated": "2025-11-19T04:55:19.564Z", "dateReserved": "2025-11-12T18:26:37.184Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2025-11-18T16:54:56.214Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "187161BC-CF72-4A12-9DA7-637A024DD97A", "versionEndExcluding": "10.4.9", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "6637885B-CE3E-4FCE-9899-A21BA12F6C87", "versionEndExcluding": "10.5.6", "versionStartIncluding": "10.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "A80C15FD-FB6B-4E22-B836-8A18842BEED0", "versionEndExcluding": "11.1.9", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D477FF8-4E52-43B9-8799-36DAEB8524E0", "versionEndExcluding": "11.2.8", "versionStartIncluding": "11.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."}], "id": "CVE-2025-13081", "lastModified": "2025-11-24T17:43:15.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-18T17:15:58.987", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2025-006"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}