CVE-2025-31674
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
We have discovered 108,654 live websites that are affected by CVE-2025-31674.
Affected Software
| Product |  Drupal |
| Category | Content Management System |
| Vulnerable Domains | 108,654 live websites (51% of Drupal install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 262 versions ( 83% of all versions) |
Common Weakness Enumeration
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object AttributesDetails
- Published - Mar 31, 2025
- Updated - Apr 3, 2025
Credits
- anzuukino (finder)
- shin24 (finder)
- ghost of drupal past (remediation developer)
- Dave Long (longwave) (remediation developer)
- Drew Webber (mcdruid) (remediation developer)
- nicxvan (remediation developer)
- shin24 (remediation developer)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-31674 United States | 39,198 websites |
 Germany | 10,305 websites |
 France | 8,282 websites |
 Belgium | 5,208 websites |
 GB | 3,856 websites |
 Netherlands | 3,686 websites |
 Russia | 3,245 websites |
 Canada | 2,950 websites |
 Italy | 2,761 websites |
 Switzerland | 2,440 websites |
Website Distribution by TLD
Number of websites using CVE-2025-31674| .com | 29,210 websites |
| .org | 10,570 websites |
| .edu | 6,730 websites |
| .de | 6,630 websites |
| .be | 4,917 websites |
| .fr | 4,598 websites |
| .nl | 3,299 websites |
| .ru | 2,586 websites |
| .it | 2,159 websites |
| .ca | 2,158 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-31674
Top websites that are affected by CVE-2025-31674. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.**.uk | GB | *** | |
| *********.com | United States | *** | |
| ***.gov | United States | *** | |
| *******.gov | United States | *,*** | |
| ***.gov | United States | *,*** | |
| ***.gov | United States | *,*** | |
| ******.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| ***.*******.edu | United States | *,*** |
FAQ
CVE-2025-31674 is Improperly Controlled Modification of Dynamically-Determined Object Attributes in Drupal
A total of 108,654 websites have been identified as vulnerable to CVE-2025-31674, based on global website indexing conducted by WebTechSurvey.
The Drupal is affected by the CVE-2025-31674 vulnerability.
Drupal versions up to 11.1.3 are vulnerable to CVE-2025-31674.
CVE-2025-31674 is resolved in version 11.1.3 of Drupal.