Miggo Logo
Miggo Vulnerability Database
CVE-2025-31674

CVE-2025-31674: Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-31674
GHSA ID
GHSA-2qph-q8xw-gv7q
EPSS Score
0.49135%
CWE
CWE-915
Published
4/1/2025
Updated
4/1/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 8.0.0, < 10.3.1310.3.13
drupal/corecomposer>= 10.4.0, < 10.4.310.4.3
drupal/corecomposer>= 11.0.0, < 11.0.1211.0.12
drupal/corecomposer>= 11.1.0, < 11.1.311.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around improper unserialization leading to object injection. Drupal's PhpSerialize::decode() method is the primary location where unserialize() operations occur. In vulnerable versions, this method would lack proper allowed_classes restrictions. The security advisory indicates the issue is mitigated by requiring separate input validation, implying the core vulnerability exists at the unserialization point. While no direct patch diff is available, the CWE-915 pattern and Drupal's architecture strongly suggest PhpSerialize::decode as the vulnerable function when handling untrusted data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*rly *ontroll** Mo*i*i**tion o* *yn*mi**lly-**t*rmin** O*j**t *ttri*ut*s vuln*r**ility in *rup*l *rup*l *or* *llows O*j**t Inj**tion.T*is issu* *****ts *rup*l *or*: *rom *.*.* ***or* **.*.**, *rom **.*.* ***or* **.*.*, *rom **.*.* ***or* **.*.*

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r uns*ri*liz*tion l***in* to o*j**t inj**tion. *rup*l's `P*pS*ri*liz*::***o**()` m*t*o* is t** prim*ry lo**tion w**r* `uns*ri*liz*()` op*r*tions o**ur. In vuln*r**l* v*rsions, t*is m*t*o* woul* l**k prop*r *llo