Drupal patches critical Vulnerability in Drupal Core

published: Sept. 21, 2023

Take action: Plan to patch your Drupal release, and in the meantime if possible disable the JSON:API module in Drupal.

Learn More

Drupal reports a cache poisoning vulnerability in Drupal Core, that's classified as critical per Drupal's internal classification:
Security Risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default

Drupal's JSON:API module can, in specific scenarios, generate error backtraces. Under certain configurations, this might lead to caching sensitive data and making it accessible to anonymous users, potentially resulting in privilege escalation.
This vulnerability exclusively impacts websites with the JSON:API module activated and can be mitigated by deactivating JSON:API.

The core REST and contributed GraphQL modules remain unaffected.

The Drupal Steward partners have been informed of this concern. While some platforms might offer mitigations, it's important to note that not all Web Application Firewall (WAF) configurations can effectively mitigate this issue. Therefore, it is strongly advised to promptly update to this security release if your website utilizes JSON:API.

To remedy the vulnerability, install the latest version

  • For Drupal 10.1 users, update to Drupal 10.1.4.
  • For Drupal 10.0 users, update to Drupal 10.0.11.
  • For Drupal 9.5 users, update to Drupal 9.5.11.

Please note that all Drupal 9 versions preceding 9.5 are no longer supported for security updates. Additionally, Drupal 8 has reached its end of life. Drupal 7 remains unaffected.

Drupal patches critical Vulnerability in Drupal Core