DRUPAL-CORE-2025-005

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2025-005.json

JSON Data

https://api.test.osv.dev/v1/vulns/DRUPAL-CORE-2025-005

Aliases

CVE-2025-13080

Published

2025-11-12T18:33:05Z

Modified

2025-11-13T04:42:51.786493Z

Summary

[none]

Details

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.

This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).

This could be exploited in various ways:

Broken rendering of some pages
Unstyled or malformatted pages
Adverse impacts on client-side functionality

Changes are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability.

References

https://www.drupal.org/sa-core-2025-005

Credits

- Dragos Dumitrescu (dragos-dumi)
- - https://www.drupal.org/u/dragos-dumi
- Nils Destoop (nils.destoop)
- - https://www.drupal.org/u/nilsdestoop
- Sven Decabooter (svendecabooter)
- - https://www.drupal.org/u/svendecabooter
- yasser ALLAM (inzo_)
- - https://www.drupal.org/u/inzo_
- zhero
- - https://www.drupal.org/u/zhero

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

10.4.9

Database specific

{
    "constraint": ">= 8.0.0 < 10.4.9"
}

Type

ECOSYSTEM

Events

Introduced

10.5.0

Fixed

10.5.6

Database specific

{
    "constraint": ">= 10.5.0 < 10.5.6"
}

Type

ECOSYSTEM

Events

Introduced

11.0.0

Fixed

11.1.9

Database specific

{
    "constraint": ">= 11.0.0 < 11.1.9"
}

Type

ECOSYSTEM

Events

Introduced

11.2.0

Fixed

11.2.8

Database specific

{
    "constraint": ">= 11.2.0 < 11.2.8"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.8.8

8.8.9

8.8.10

8.8.11

8.8.12

8.9.0-beta1

8.9.0-beta2

8.9.0-beta3

8.9.0-rc1

8.9.0

8.9.1

8.9.2

8.9.3

8.9.4

8.9.5

8.9.6

8.9.7

8.9.8

8.9.9

8.9.10

8.9.11

8.9.12

8.9.13

8.9.14

8.9.15

8.9.16

8.9.17

8.9.18

8.9.19

8.9.20

9.*

9.0.0-alpha1

9.0.0-alpha2

9.0.0-beta1

9.0.0-beta2

9.0.0-beta3

9.0.0-rc1

9.0.0

9.0.1

9.0.2

9.0.3

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.9

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.1.0-alpha1

9.1.0-beta1

9.1.0-rc1

9.1.0-rc2

9.1.0-rc3

9.1.0

9.1.1

9.1.2

9.1.3

9.1.4

9.1.5

9.1.6

9.1.7

9.1.8

9.1.9

9.1.10

9.1.11

9.1.12

9.1.13

9.1.14

9.1.15

9.2.0-alpha1

9.2.0-beta1

9.2.0-beta2

9.2.0-beta3

9.2.0-rc1

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.2.10

9.2.11

9.2.12

9.2.13

9.2.14

9.2.15

9.2.16

9.2.17

9.2.18

9.2.19

9.2.20

9.2.21

9.3.0-alpha1

9.3.0-beta1

9.3.0-beta2

9.3.0-beta3

9.3.0-rc1

9.3.0

9.3.1

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.3.10

9.3.11

9.3.12

9.3.13

9.3.14

9.3.15

9.3.16

9.3.17

9.3.18

9.3.19

9.3.20

9.3.21

9.3.22

9.4.0-alpha1

9.4.0-beta1

9.4.0-rc1

9.4.0-rc2

9.4.0

9.4.1

9.4.2

9.4.3

9.4.4

9.4.5

9.4.6

9.4.7

9.4.8

9.4.9

9.4.10

9.4.11

9.4.12

9.4.13

9.4.14

9.4.15

9.5.0-beta1

9.5.0-beta2

9.5.0-rc1

9.5.0-rc2

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7

9.5.8

9.5.9

9.5.10

9.5.11

10.*

10.0.0-alpha1

10.0.0-alpha2

10.0.0-alpha3

10.0.0-alpha4

10.0.0-alpha5

10.0.0-alpha6

10.0.0-alpha7

10.0.0-beta1

10.0.0-beta2

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

10.0.10

10.0.11

10.1.0-alpha1

10.1.0-beta1

10.1.0-rc1

10.1.0

10.1.1

10.1.2

10.1.3

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.2.0-alpha1

10.2.0-beta1

10.2.0-rc1

10.2.0

10.2.1

10.2.2

10.2.3

10.2.4

10.2.5

10.2.6

10.2.7

10.2.8

10.2.9

10.2.10

10.2.11

10.2.12

10.3.0-beta1

10.3.0-rc1

10.3.0

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.3.7

10.3.8

10.3.9

10.3.10

10.3.11

10.3.12

10.3.13

10.3.14

10.4.0-beta1

10.4.0-rc1

10.4.0

10.4.1

10.4.2

10.4.3

10.4.4

10.4.5

10.4.6

10.4.7

10.4.8

10.5.0

10.5.1

10.5.2

10.5.3

10.5.4

10.5.5

11.*

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

11.0.8

11.0.9

11.0.10

11.0.11

11.0.12

11.0.13

11.1.0-beta1

11.1.0-rc1

11.1.0

11.1.1

11.1.2

11.1.3

11.1.4

11.1.5

11.1.6

11.1.7

11.1.8

11.2.0

11.2.1

11.2.2

11.2.3

11.2.4

11.2.5

11.2.6

11.2.7

Database specific

affected_versions

">= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8"