{"id":"DRUPAL-CORE-2025-005","details":"Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.\n\nThis functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).\n\nThis could be exploited in various ways:\n\n* Broken rendering of some pages\n* Unstyled or malformatted pages\n* Adverse impacts on client-side functionality\n\nChanges are being made in the underlying library which will mitigate this problem, but in the meantime Drupal core has been hardened to protect against this vulnerability. The authors of the underlying library do not believe it is a source of vulnerabilities in other systems. Drupal's use of library leads to an implementation-specific vulnerability, so we've issued this advisory and reserved a CVE ID for the vulnerability in Drupal.","aliases":["BIT-drupal-2025-13080","CVE-2025-13080","GHSA-83v7-c2cf-p9c2"],"modified":"2025-12-10T23:41:07.744028Z","published":"2025-11-12T18:33:05Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-core-2025-005"}],"affected":[{"package":{"name":"drupal/core","ecosystem":"Packagist","purl":"pkg:composer/drupal/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.0.0"},{"fixed":"10.4.9"}],"database_specific":{"constraint":"\u003e= 8.0.0 \u003c 10.4.9"}},{"type":"ECOSYSTEM","events":[{"introduced":"10.5.0"},{"fixed":"10.5.6"}],"database_specific":{"constraint":"\u003e= 10.5.0 \u003c 10.5.6"}},{"type":"ECOSYSTEM","events":[{"introduced":"11.0.0"},{"fixed":"11.1.9"}],"database_specific":{"constraint":"\u003e= 11.0.0 \u003c 11.1.9"}},{"type":"ECOSYSTEM","events":[{"introduced":"11.2.0"},{"fixed":"11.2.8"}],"database_specific":{"constraint":"\u003e= 11.2.0 \u003c 11.2.8"}}],"versions":["10.0.0","10.0.0-alpha1","10.0.0-alpha2","10.0.0-alpha3","10.0.0-alpha4","10.0.0-alpha5","10.0.0-alpha6","10.0.0-alpha7","10.0.0-beta1","10.0.0-beta2","10.0.0-rc1","10.0.0-rc2","10.0.0-rc3","10.0.1","10.0.10","10.0.11","10.0.2","10.0.3","10.0.4","10.0.5","10.0.6","10.0.7","10.0.8","10.0.9","10.1.0","10.1.0-alpha1","10.1.0-beta1","10.1.0-rc1","10.1.1","10.1.2","10.1.3","10.1.4","10.1.5","10.1.6","10.1.7","10.1.8","10.2.0","10.2.0-alpha1","10.2.0-beta1","10.2.0-rc1","10.2.1","10.2.10","10.2.11","10.2.12","10.2.2","10.2.3","10.2.4","10.2.5","10.2.6","10.2.7","10.2.8","10.2.9","10.3.0","10.3.0-beta1","10.3.0-rc1","10.3.1","10.3.10","10.3.11","10.3.12","10.3.13","10.3.14","10.3.2","10.3.3","10.3.4","10.3.5","10.3.6","10.3.7","10.3.8","10.3.9","10.4.0","10.4.0-beta1","10.4.0-rc1","10.4.1","10.4.2","10.4.3","10.4.4","10.4.5","10.4.6","10.4.7","10.4.8","10.5.0","10.5.1","10.5.2","10.5.3","10.5.4","10.5.5","11.0.0","11.0.1","11.0.10","11.0.11","11.0.12","11.0.13","11.0.2","11.0.3","11.0.4","11.0.5","11.0.6","11.0.7","11.0.8","11.0.9","11.1.0","11.1.0-beta1","11.1.0-rc1","11.1.1","11.1.2","11.1.3","11.1.4","11.1.5","11.1.6","11.1.7","11.1.8","11.2.0","11.2.1","11.2.2","11.2.3","11.2.4","11.2.5","11.2.6","11.2.7","8.0.0","8.0.1","8.0.2","8.0.3","8.0.4","8.0.5","8.0.6","8.1.0","8.1.0-beta1","8.1.0-beta2","8.1.0-rc1","8.1.1","8.1.10","8.1.2","8.1.3","8.1.4","8.1.5","8.1.6","8.1.7","8.1.8","8.1.9","8.2.0","8.2.0-beta1","8.2.0-beta2","8.2.0-beta3","8.2.0-rc1","8.2.0-rc2","8.2.1","8.2.2","8.2.3","8.2.4","8.2.5","8.2.6","8.2.7","8.2.8","8.3.0","8.3.0-alpha1","8.3.0-beta1","8.3.0-rc1","8.3.0-rc2","8.3.1","8.3.2","8.3.3","8.3.4","8.3.5","8.3.6","8.3.7","8.3.8","8.3.9","8.4.0","8.4.0-alpha1","8.4.0-beta1","8.4.0-rc1","8.4.0-rc2","8.4.1","8.4.2","8.4.3","8.4.4","8.4.5","8.4.6","8.4.7","8.4.8","8.5.0","8.5.0-alpha1","8.5.0-beta1","8.5.0-rc1","8.5.1","8.5.10","8.5.11","8.5.12","8.5.13","8.5.14","8.5.15","8.5.2","8.5.3","8.5.4","8.5.5","8.5.6","8.5.7","8.5.8","8.5.9","8.6.0","8.6.0-alpha1","8.6.0-beta1","8.6.0-beta2","8.6.0-rc1","8.6.1","8.6.10","8.6.11","8.6.12","8.6.13","8.6.14","8.6.15","8.6.16","8.6.17","8.6.18","8.6.2","8.6.3","8.6.4","8.6.5","8.6.6","8.6.7","8.6.8","8.6.9","8.7.0","8.7.0-alpha1","8.7.0-alpha2","8.7.0-beta1","8.7.0-beta2","8.7.0-rc1","8.7.1","8.7.10","8.7.11","8.7.12","8.7.13","8.7.14","8.7.2","8.7.3","8.7.4","8.7.5","8.7.6","8.7.7","8.7.8","8.7.9","8.8.0","8.8.0-alpha1","8.8.0-beta1","8.8.0-rc1","8.8.1","8.8.10","8.8.11","8.8.12","8.8.2","8.8.3","8.8.4","8.8.5","8.8.6","8.8.7","8.8.8","8.8.9","8.9.0","8.9.0-beta1","8.9.0-beta2","8.9.0-beta3","8.9.0-rc1","8.9.1","8.9.10","8.9.11","8.9.12","8.9.13","8.9.14","8.9.15","8.9.16","8.9.17","8.9.18","8.9.19","8.9.2","8.9.20","8.9.3","8.9.4","8.9.5","8.9.6","8.9.7","8.9.8","8.9.9","9.0.0","9.0.0-alpha1","9.0.0-alpha2","9.0.0-beta1","9.0.0-beta2","9.0.0-beta3","9.0.0-rc1","9.0.1","9.0.10","9.0.11","9.0.12","9.0.13","9.0.14","9.0.2","9.0.3","9.0.4","9.0.5","9.0.6","9.0.7","9.0.8","9.0.9","9.1.0","9.1.0-alpha1","9.1.0-beta1","9.1.0-rc1","9.1.0-rc2","9.1.0-rc3","9.1.1","9.1.10","9.1.11","9.1.12","9.1.13","9.1.14","9.1.15","9.1.2","9.1.3","9.1.4","9.1.5","9.1.6","9.1.7","9.1.8","9.1.9","9.2.0","9.2.0-alpha1","9.2.0-beta1","9.2.0-beta2","9.2.0-beta3","9.2.0-rc1","9.2.1","9.2.10","9.2.11","9.2.12","9.2.13","9.2.14","9.2.15","9.2.16","9.2.17","9.2.18","9.2.19","9.2.2","9.2.20","9.2.21","9.2.3","9.2.4","9.2.5","9.2.6","9.2.7","9.2.8","9.2.9","9.3.0","9.3.0-alpha1","9.3.0-beta1","9.3.0-beta2","9.3.0-beta3","9.3.0-rc1","9.3.1","9.3.10","9.3.11","9.3.12","9.3.13","9.3.14","9.3.15","9.3.16","9.3.17","9.3.18","9.3.19","9.3.2","9.3.20","9.3.21","9.3.22","9.3.3","9.3.4","9.3.5","9.3.6","9.3.7","9.3.8","9.3.9","9.4.0","9.4.0-alpha1","9.4.0-beta1","9.4.0-rc1","9.4.0-rc2","9.4.1","9.4.10","9.4.11","9.4.12","9.4.13","9.4.14","9.4.15","9.4.2","9.4.3","9.4.4","9.4.5","9.4.6","9.4.7","9.4.8","9.4.9","9.5.0","9.5.0-beta1","9.5.0-beta2","9.5.0-rc1","9.5.0-rc2","9.5.1","9.5.10","9.5.11","9.5.2","9.5.3","9.5.4","9.5.5","9.5.6","9.5.7","9.5.8","9.5.9"],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2025-005.json","affected_versions":"\u003e= 8.0.0 \u003c 10.4.9 || \u003e= 10.5.0 \u003c 10.5.6 || \u003e= 11.0.0 \u003c 11.1.9 || \u003e= 11.2.0 \u003c 11.2.8"}}],"schema_version":"1.7.3","credits":[{"name":"Dragos Dumitrescu (dragos-dumi)","contact":["https://www.drupal.org/u/dragos-dumi"]},{"name":"Nils Destoop (nils.destoop)","contact":["https://www.drupal.org/u/nilsdestoop"]},{"name":"Sven Decabooter (svendecabooter)","contact":["https://www.drupal.org/u/svendecabooter"]},{"name":"yasser ALLAM (inzo_)","contact":["https://www.drupal.org/u/inzo_"]},{"name":"zhero","contact":["https://www.drupal.org/u/zhero"]}]}