CVE-2025-13080 Overview
CVE-2025-13080 is an Improper Check for Unusual or Exceptional Conditions vulnerability [CWE-754] in Drupal core. The flaw allows unauthenticated attackers to perform Forceful Browsing against affected sites over the network. Drupal published the issue in advisory SA-CORE-2025-005 and released fixed versions across all supported branches.
The vulnerability affects Drupal core from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, and from 11.2.0 before 11.2.8. The issue impacts availability but does not compromise confidentiality or integrity.
Critical Impact
Remote unauthenticated attackers can exploit the flaw over the network with low complexity, potentially degrading site availability across a broad Drupal installed base.
Affected Products
- Drupal core 8.0.0 through versions before 10.4.9
- Drupal core 10.5.0 through versions before 10.5.6
- Drupal core 11.0.0 through versions before 11.1.9, and 11.2.0 through versions before 11.2.8
Discovery Timeline
- 2025-11-18 - CVE-2025-13080 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-13080
Vulnerability Analysis
The vulnerability is classified under [CWE-754], Improper Check for Unusual or Exceptional Conditions. Drupal core fails to correctly handle an exceptional condition during request processing, allowing an attacker to reach resources or trigger code paths that should be restricted. The Drupal Security Team categorizes the resulting behavior as Forceful Browsing, in which a client accesses application logic or content by directly requesting URLs rather than following the intended navigation flow.
An attacker exploits the issue by sending crafted HTTP requests over the network. No authentication or user interaction is required, and the attack complexity is low. Successful exploitation impacts availability, consistent with a request path that consumes resources or disrupts expected control flow rather than exfiltrating data.
Root Cause
The root cause is missing or incorrect validation of an exceptional runtime condition inside Drupal core. When a request meets the unhandled condition, the affected code path proceeds instead of failing safely, exposing behavior the developers did not intend to be reachable from unauthenticated requests.
Attack Vector
The attack vector is remote and network-based. An attacker enumerates or requests specific endpoint paths against an unpatched Drupal site. Because the flaw is triggered through standard HTTP request handling, exploitation does not depend on privileged accounts, plugins, or custom modules. Refer to the Drupal Security Advisory SA-CORE-2025-005 for technical specifics.
Detection Methods for CVE-2025-13080
Indicators of Compromise
- Unusual spikes in HTTP requests to Drupal endpoints from a small set of source IPs, particularly against paths not linked from public navigation.
- Elevated PHP-FPM or web server resource consumption correlated with anonymous traffic bursts.
- Web server access logs showing repeated direct requests to internal or administrative-style paths without a referrer chain.
Detection Strategies
- Inventory Drupal core versions across all hosted sites and flag any instance below 10.4.9, 10.5.6, 11.1.9, or 11.2.8.
- Deploy Web Application Firewall (WAF) rules that alert on anonymous request patterns matching Forceful Browsing behavior against Drupal routes.
- Correlate anonymous request volume with backend error rates to surface exploitation attempts targeting the vulnerable code path.
Monitoring Recommendations
- Forward web server, PHP, and Drupal watchdog logs to a centralized analytics platform for query and alerting.
- Baseline normal request rates per endpoint so anomalous Forceful Browsing traffic stands out against expected traffic.
- Track responses with HTTP 5xx status codes on Drupal endpoints to identify availability degradation early.
How to Mitigate CVE-2025-13080
Immediate Actions Required
- Upgrade Drupal core to 10.4.9, 10.5.6, 11.1.9, or 11.2.8 depending on the branch in use.
- Audit anonymous request logs for the days preceding the upgrade to identify any prior exploitation attempts.
- Prioritize patching public-facing sites and multi-tenant hosting environments where a single unpatched site can affect shared resources.
Patch Information
Drupal released fixes in core versions 10.4.9, 10.5.6, 11.1.9, and 11.2.8. Details and download links are available in the Drupal Security Advisory SA-CORE-2025-005. Sites running Drupal 7 are end-of-life and should migrate to a supported branch.
Workarounds
- Apply WAF signatures or rate-limit rules restricting anonymous access to sensitive Drupal routes until the upgrade completes.
- Restrict administrative and non-public endpoints to trusted IP ranges at the reverse proxy or CDN layer.
- Enable aggressive caching for anonymous traffic to reduce backend exposure to Forceful Browsing request patterns.
# Configuration example: verify Drupal core version and update via Composer
php core/scripts/drupal --version
composer update drupal/core "drupal/core-*" --with-all-dependencies
drush updatedb -y
drush cache:rebuild
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

