CVE-2025-14472 Overview
CVE-2025-14472 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Acquia Content Hub module. The flaw affects Acquia Content Hub versions prior to 3.6.4 and versions 3.7.0 through 3.7.2. Attackers can trick authenticated users into submitting forged state-changing requests by luring them to a malicious page. Successful exploitation impacts both confidentiality and integrity of the affected Drupal site. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
Attackers can perform unauthorized state-changing actions in Acquia Content Hub by abusing the trust of an authenticated administrator session, leading to high impact on confidentiality and integrity.
Affected Products
- Acquia Content Hub for Drupal versions 0.0.0 through 3.6.3
- Acquia Content Hub for Drupal versions 3.7.0 through 3.7.2
- Drupal sites with the Acquia Content Hub module enabled
Discovery Timeline
- 2026-01-28 - CVE-2025-14472 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2025-14472
Vulnerability Analysis
The Acquia Content Hub module fails to enforce anti-CSRF protections on one or more state-changing endpoints. An attacker hosting a crafted page can issue requests that the victim's browser submits with valid session cookies. Because the server does not validate request origin or a unique token, the forged action executes under the authenticated user's privileges. The vulnerability requires user interaction, such as clicking a link or visiting a malicious site, but no attacker authentication is needed.
Root Cause
The root cause is missing or insufficient CSRF token validation on sensitive operations exposed by the Acquia Content Hub module. Drupal provides built-in CSRF token APIs, but affected routes did not consistently apply them. This omission allowed cross-origin requests with ambient credentials to be processed as legitimate.
Attack Vector
Exploitation occurs over the network through a victim's browser. An attacker crafts an HTML page containing a form or script targeting a vulnerable Content Hub endpoint. When an authenticated Drupal user with Content Hub privileges visits the page, the browser auto-submits the request with session cookies. The server processes the request, allowing the attacker to manipulate content hub configurations or trigger administrative actions.
No verified public exploit code is available for this vulnerability. For technical specifics, see the Drupal Security Advisory 2025-125.
Detection Methods for CVE-2025-14472
Indicators of Compromise
- Unexpected configuration changes within Acquia Content Hub administrative settings
- Web server access logs showing POST requests to Content Hub endpoints with Referer or Origin headers pointing to external untrusted domains
- Drupal watchdog entries reflecting state changes initiated by users who did not actively perform them
Detection Strategies
- Inspect web server and reverse proxy logs for cross-origin POST requests targeting Acquia Content Hub routes
- Correlate Drupal audit logs with user session timelines to identify actions occurring outside expected user workflows
- Deploy web application firewall (WAF) rules that flag state-changing requests lacking valid CSRF tokens
Monitoring Recommendations
- Enable verbose Drupal logging for the Acquia Content Hub module and forward events to a centralized SIEM
- Monitor for sudden spikes in administrative actions originating from a single user account
- Alert on HTTP requests to Content Hub endpoints with mismatched Origin or Referer headers
How to Mitigate CVE-2025-14472
Immediate Actions Required
- Upgrade Acquia Content Hub to version 3.6.4 if running the 3.6.x branch
- Upgrade Acquia Content Hub to version 3.7.3 if running the 3.7.x branch
- Review recent Content Hub configuration changes and user activity for signs of abuse
- Rotate API keys and credentials associated with Content Hub integrations as a precaution
Patch Information
Acquia and the Drupal security team have released fixed versions 3.6.4 and 3.7.3 that introduce proper CSRF token validation on affected endpoints. Refer to the Drupal Security Advisory 2025-125 for the official remediation details and download links.
Workarounds
- Restrict access to Drupal administrative paths via IP allowlists at the reverse proxy or WAF layer
- Require administrators to use separate browser sessions or profiles when managing the Drupal site
- Enforce SameSite=Strict or SameSite=Lax cookie attributes on Drupal session cookies to reduce cross-origin exposure
# Example: enforce SameSite cookie attribute in Drupal settings.php
$settings['session_cookie_samesite'] = 'Strict';
# Example: update Acquia Content Hub via Composer
composer require 'drupal/acquia_contenthub:^3.7.3' --update-with-dependencies
drush updatedb
drush cache:rebuild
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
