{ "canonical_id": "drupal--9d2d9c684a", "system_id": "drupal", "display_name": "Drupal", "category": "cms", "advisory_mode": "core", "title": "Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008", "summary": "
Project: 
Drupal core
Date: 
2025-November-12
Security risk: 
Moderately critical 10\u2009\u2215\u200925 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability: 
Information disclosure
Affected versions: 
>= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 < 11.1.9 || >= 11.2.0 < 11.2.8
CVE IDs: 
CVE-2025-13083
Description: 

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.

\n

In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.

\n

This vulnerability is mitigated by the following:

\n
    \n
  1. Drupal must be configured to handle non-public files using a custom or contributed module providing an additional file scheme.
    2. \n
  2. An attacker must know to request a file that has previously been
    \nrequested by a more-privileged user, and that file must still be cached.
    3. \n
Solution: 

Install the latest version:

\n\n

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 
Fixed By: 
Coordinated By: 
", "published_at": "Wed, 12 Nov 2025 20:16:22 +0000", "updated_at": "Wed, 12 Nov 2025 20:16:22 +0000", "severity": "unknown", "cvss_score": null, "exploit_status": "unknown", "source_confidence": "official", "official_source_url": "https://www.drupal.org/sa-core-2025-008", "secondary_source_urls": [], "aliases": [], "cve_ids": [], "ghsa_ids": [], "osv_ids": [], "affected_versions": [], "fixed_versions": [], "package_name": null, "render_markdown": false, "case_path": null, "secure_code_topics": [ "authz-server-side-recheck", "xss-output-encoding", "file-upload-validation", "plugin-extension-trust-policy" ], "status": "triage", "triage_reasons": [ "missing affected/fixed version details" ], "entity_refs": [ { "entity_id": "drupal", "entity_type": "system", "relation": "root-system", "root_system_id": "drupal", "official": true } ], "affected_components": [ { "name": "Drupal", "entity_id": "drupal", "scope": "core", "package_name": null, "official": true } ], "affected_version_ranges": [], "fixed_version_ranges": [], "introduced_version": null, "patched_version": null, "version_evidence_sources": [ "https://www.drupal.org/sa-core-2025-008" ], "affected_version_refs": [], "fixed_version_refs": [], "patched_version_refs": [], "version_sync_confidence": "low", "advisory_scope": "core", "version_confidence": "low", "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions", "version_resolution_needed": true, "workflow": { "workflow_id": "drupal--9d2d9c684a--workflow", "vuln_family": "xss", "entry_surface": "web-ui-render-path", "preconditions": [ "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002", "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d", "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002" ], "required_role": "editor-or-admin", "affected_version_assertion": [ "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d" ], "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002", "request_or_ui_path": [ "/admin/editor", "/preview", "/rendered-content" ], "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002", "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002", "server_evidence_points": [ "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808", "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56" ], "browser_evidence_points": [ "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02", "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7" ], "db_or_fs_evidence_points": [ "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e", "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9" ], "detection_signals": [ "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66", "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6" ], "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002", "patch_validation_steps": [ "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002", "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002", "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002", "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002" ], "lab_safety_notes": [ "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002", "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002", "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002" ], "review_state": "needs-version-gap-review" }, "verification_status": "triage-manual", "verification_mode": "synthetic", "last_verified_at": null, "last_run_id": null, "evidence_bundle": null, "historical_status": null, "latest_status": null, "browser_evidence": { "required": false, "present": false, "refs": [] }, "repro_profile_id": "xss-generic", "artifact_mode": "official-image", "blocked_reason": null, "metadata": { "source_names": [ "Drupal Security Advisories RSS" ], "source_kinds": [ "rss-feed" ], "candidate_count": 1, "entity_ref_count": 1, "advisory_scope": "core", "version_confidence": "low", "workflow_id": "drupal--9d2d9c684a--workflow" } }