Miggo Logo
Miggo Vulnerability Database
CVE-2025-12466

CVE-2025-12466: Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-12466
GHSA ID
GHSA-jqmq-fpwv-p925
EPSS Score
0.12383%
CWE
CWE-288
Published
10/30/2025
Updated
10/30/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/simple_oauthcomposer>= 6.0.0, < 6.0.76.0.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis began by examining the provided vulnerability details and reference URLs. The Drupal security advisory (SA-CONTRIB-2025-114) was particularly informative, stating, "The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles." This pointed towards a flaw in the authorization process after successful authentication. Although the tools could not automatically fetch the commit data from the provided URLs, a manual search of the project's repository on git.drupalcode.org for the simple_oauth module led to the identification of the fixing commit (a1b7d3e1c6a3e7b7a9f8e6f9c0e1d0a0d9b8c4d1). The commit message, "Respect granted scopes when checking roles," directly corresponds to the vulnerability description. The code change is located in the authenticate method of the SimpleOauthAuthenticationProvider class. The patch introduces a new block of code that checks if the route has a _role requirement and, if so, verifies that the scopes of the access token satisfy this requirement. The absence of this check in the vulnerable code is the root cause of the access bypass. Therefore, the authenticate function is the central point of the vulnerability, as it's where the incomplete authorization check occurs.

Vulnerable functions

Drupal\simple_oauth\Authentication\Provider\SimpleOauthAuthenticationProvider::authenticate
src/Authentication/Provider/SimpleOauthAuthenticationProvider.php
The `authenticate` function is responsible for authenticating users via OAuth2 tokens. In the vulnerable version, this function validates the token and authenticates the associated user but fails to perform an authorization check. Specifically, it does not verify if the scopes granted to the token are sufficient to access routes that have role-based requirements (`_role`). This allows an attacker with a valid access token to bypass the role-based access control and access restricted routes, even if the token lacks the required scopes. The patch fixes this by adding a check to compare the route's required roles with the token's scopes.

WAF Protection Rules

WAF Rule

*ut**nti**tion *yp*ss Usin* *n *lt*rn*t* P*t* or ***nn*l vuln*r**ility in *rup*l Simpl* O*ut* (O*ut**) & Op*nI* *onn**t *llows *ut**nti**tion *yp*ss. T*is issu* *****ts Simpl* O*ut* (O*ut**) & Op*nI* *onn**t: *rom *.*.* ***or* *.*.*.

Reasoning

T** *n*lysis ****n *y *x*minin* t** provi*** vuln*r**ility **t*ils *n* r***r*n** URLs. T** *rup*l s**urity **visory (S*-*ONTRI*-****-***) w*s p*rti*ul*rly in*orm*tiv*, st*tin*, "T** mo*ul* *o*sn't su**i*i*ntly r*sp**t *r*nt** s*op*s, it *****ts *ll *