Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2025-31694

CVE-2025-31694:
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing

8.1

CVSS Score

Basic Information

CVE ID
CVE-2025-31694
GHSA ID
GHSA-hf6c-fgp3-jfch
EPSS Score
-
CWE
CWE-288
Published
4/1/2025
Updated
4/2/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/tfacomposer< 1.10.01.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper route access controls (CWE-288/CWE-863). In Drupal, route access is determined by access check services like TfaAccessCheck. The advisory explicitly states the module failed to prevent route overrides that bypass TFA, indicating the access control handler was deficient. The patched version's added route integrity checks and access enforcement further corroborate that the TfaAccessCheck::access method was the focal point of the authorization flaw. During exploitation, this function would appear in stack traces when attackers access overridden routes without proper TFA validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orr**t *ut*oriz*tion vuln*r**ility in *rup*l Two-***tor *ut**nti**tion (T**) *llows *or***ul *rowsin*. T*is issu* *****ts Two-***tor *ut**nti**tion (T**): *rom *.*.* ***or* *.**.*.

Reasoning

T** vuln*r**ility **nt*rs on improp*r rout* ****ss *ontrols (*W*-***/*W*-***). In *rup*l, rout* ****ss is **t*rmin** *y ****ss ****k s*rvi**s lik* T******ss****k. T** **visory *xpli*itly st*t*s t** mo*ul* **il** to pr*v*nt rout* ov*rri**s t**t *yp*ss