it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005
- Date: Thu, 13 Nov 2025 00:13:34 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=j0i9JFWA; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 9118940B28
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 301136061E
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2025-005
Project: Drupal core [1]
Date: 2025-November-12
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Denial of Service
Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 <
11.1.9 || >= 11.2.0 < 11.2.8
CVE IDs: CVE-2025-13080
Description:
Drupal Core has a rarely used feature, provided by an underlying library,
which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache
response data that it should not. This can lead to legitimate requests
receiving inappropriate cached responses (cache poisoning).
This could be exploited in various ways:
* Broken rendering of some pages
* Unstyled or malformatted pages
* Adverse impacts on client-side functionality
Changes are being made in the underlying library which will mitigate this
problem, but in the meantime Drupal core has been hardened to protect against
this vulnerability.
Solution:
Install the latest version:
* If you are using Drupal 10.4, update to Drupal 10.4.9 [3].
* If you are using Drupal 10.5, update to Drupal 10.5.6 [4].
* If you are using Drupal 11.1, update to Drupal 11.1.9 [5].
* If you are using Drupal 11.2, update to Drupal 11.2.8 [6].
Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive
security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached
end-of-life.)
Reported By:
* Dragos Dumitrescu (dragos-dumi) [9]
* yasser ALLAM (inzo_) [10]
* Nils Destoop (nils.destoop) [11]
* Sven Decabooter (svendecabooter) [12]
* zhero [13]
Fixed By:
* Alex Pott (alexpott) [14] of the Drupal Security Team
* catch (catch) [15] of the Drupal Security Team
* cilefen (cilefen) [16] of the Drupal Security Team
* Jen Lampton (jenlampton) [17], provisional member of the Drupal Security
Team
* Lee Rowlands (larowlan) [18] of the Drupal Security Team
* Dave Long (longwave) [19] of the Drupal Security Team
* Drew Webber (mcdruid) [20] of the Drupal Security Team
* Nils Destoop (nils.destoop) [21]
* Juraj Nemec (poker10) [22] of the Drupal Security Team
* Ra Mänd (ram4nd) [23], provisional member of the Drupal Security Team
* Jess (xjm) [24] of the Drupal Security Team
Coordinated By:
* catch (catch) [25] of the Drupal Security Team
* Greg Knaddison (greggles) [26] of the Drupal Security Team
* Lee Rowlands (larowlan) [27] of the Drupal Security Team
* Dave Long (longwave) [28] of the Drupal Security Team
* Drew Webber (mcdruid) [29] of the Drupal Security Team
* Juraj Nemec (poker10) [30] of the Drupal Security Team
* Jess (xjm) [31] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [32]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.4.9
[4] https://www.drupal.org/project/drupal/releases/10.5.6
[5] https://www.drupal.org/project/drupal/releases/11.1.9
[6] https://www.drupal.org/project/drupal/releases/11.2.8
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/psa-2023-11-01
[9] https://www.drupal.org/u/dragos-dumi
[10] https://www.drupal.org/u/inzo_
[11] https://www.drupal.org/u/nilsdestoop
[12] https://www.drupal.org/u/svendecabooter
[13] https://www.drupal.org/u/zhero
[14] https://www.drupal.org/u/alexpott
[15] https://www.drupal.org/u/catch
[16] https://www.drupal.org/u/cilefen
[17] https://www.drupal.org/u/jenlampton
[18] https://www.drupal.org/u/larowlan
[19] https://www.drupal.org/u/longwave
[20] https://www.drupal.org/u/mcdruid
[21] https://www.drupal.org/u/nilsdestoop
[22] https://www.drupal.org/u/poker10
[23] https://www.drupal.org/u/ram4nd
[24] https://www.drupal.org/u/xjm
[25] https://www.drupal.org/u/catch
[26] https://www.drupal.org/u/greggles
[27] https://www.drupal.org/u/larowlan
[28] https://www.drupal.org/u/longwave
[29] https://www.drupal.org/u/mcdruid
[30] https://www.drupal.org/u/poker10
[31] https://www.drupal.org/u/xjm
[32] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3557474
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005, security-news, 13.11.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.