CVE-2025-48444: Drupal Quick Node Block Missing Authorization vulnerability

The vulnerability (CVE-2025-48444, GHSA-c424-hgg9-9c4w) is a missing authorization issue in the Drupal Quick Node Block module, allowing forceful browsing. According to the Drupal security advisory SA-CONTRIB-2025-064, the module didn't check access to content before displaying it, allowing unauthorized users to retrieve information about nodes.

The analysis focused on identifying the code changes that addressed this vulnerability. The patched version is 2.0.0 (or 2.0.1 as per Drupal SA). The relevant commit was found on Drupal's GitLab instance (git.drupalcode.org) for the quick_node_block project. Specifically, commit 1533a313 titled 'Issue #3444944: Add access check' directly addresses the vulnerability.

The commit modifies the file src/Plugin/Block/QuickNodeBlock.php, specifically the build() method within the QuickNodeBlock class. The patch introduces an access check using $node->access('view') before the node's content is prepared for rendering. The absence of this check in versions prior to 2.0.0 is the root cause of the vulnerability.

Therefore, the Drupal\quick_node_block\Plugin\Block\QuickNodeBlock::build() method is identified as the vulnerable function. During exploitation, this function would be invoked to render a block. Without the access check, it would improperly disclose information from nodes that the user is not authorized to see. The runtime profiler would show this method in the stack trace when the vulnerable functionality is triggered.

Note: The commit information was obtained by manually inspecting the git.drupalcode.org repository, as the provided tools are primarily for GitHub repositories and no direct GitHub mirror with the specific commit was readily available or provided.