Skip to main content
CVE Vulnerability Database

CVE-2025-9549: Drupal Facets Auth Bypass Vulnerability

CVE-2025-9549 is an authorization bypass vulnerability in Drupal Facets that enables forceful browsing attacks. This article covers the technical details, affected versions from 0.0.0 to 2.0.10 and 3.0.0 to 3.0.1, and mitigation.

Published:

CVE-2025-9549 Overview

CVE-2025-9549 is a Missing Authorization vulnerability [CWE-862] affecting the Drupal Facets module. The flaw allows unauthenticated attackers to perform forceful browsing against filtered search interfaces. Affected versions include Facets releases from 0.0.0 before 2.0.10 and from 3.0.0 before 3.0.1. The module is widely deployed on Drupal sites that use faceted search navigation for content filtering.

The vulnerability is network-exploitable, requires no privileges, and no user interaction. It impacts confidentiality and integrity at a limited scope but does not affect availability.

Critical Impact

Unauthenticated attackers can access facet-filtered content and search results that should be restricted, exposing sensitive data via forced browsing of URLs.

Affected Products

  • Drupal Facets module versions 0.0.0 through 2.0.9
  • Drupal Facets module versions 3.0.0 through 3.0.0
  • Drupal sites relying on Facets for permission-aware search filtering

Discovery Timeline

  • 2025-10-10 - CVE-2025-9549 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9549

Vulnerability Analysis

The Drupal Facets module provides faceted navigation for search results, letting users refine listings by taxonomy, content type, and other attributes. The module fails to enforce authorization checks when rendering facet items or processing facet queries. This mapping to CWE-862 (Missing Authorization) indicates that access control decisions are absent where they should verify a user's rights to view specific content or metadata.

Attackers exploit the flaw through forceful browsing. They craft or guess URLs that expose facet data derived from content the requesting user is not permitted to see. The result is disclosure of filtered items and modification of state tied to those facets.

Because the module operates on the search layer, results can leak the existence, counts, and attributes of restricted nodes even when the underlying content view enforces node-level permissions correctly.

Root Cause

The root cause is the absence of authorization validation between Facets query building and result rendering. The module trusts request parameters and index data without re-validating that the requesting session has permission for each surfaced item or attribute.

Attack Vector

Exploitation occurs over the network against any Drupal endpoint that exposes a facet-enabled search or listing page. An unauthenticated attacker issues HTTP requests with manipulated facet query parameters or path segments. The server responds with facet aggregates and item references that should have been filtered by the user's role.

No verified public exploit code is available. See the Drupal Security Advisory 2025-099 for the vendor's technical description.

Detection Methods for CVE-2025-9549

Indicators of Compromise

  • Anonymous or low-privilege HTTP requests containing f[0]=, f[1]=, or similar facet query parameters against Drupal search paths.
  • Web server logs showing enumeration patterns across facet URLs, such as rapid iteration through taxonomy term IDs.
  • Access log entries referencing restricted content identifiers returned in facet responses to unauthenticated sessions.

Detection Strategies

  • Inventory Drupal installations and identify sites running the Facets module at versions below 2.0.10 or 3.0.1.
  • Review application logs for unauthenticated access to search pages containing facet parameters and correlate against expected traffic baselines.
  • Deploy web application firewall rules that flag anomalous facet parameter enumeration from single source addresses.

Monitoring Recommendations

  • Enable verbose logging on Drupal search and Views endpoints where Facets is active.
  • Monitor for spikes in 4xx and 2xx responses on facet URLs from anonymous sessions.
  • Alert on outbound egress of large search result sets to unauthenticated clients.

How to Mitigate CVE-2025-9549

Immediate Actions Required

  • Upgrade Facets to version 2.0.10 if running the 2.x branch.
  • Upgrade Facets to version 3.0.1 if running the 3.x branch.
  • Audit facet-enabled search pages for exposed restricted content and rotate any leaked identifiers or references.

Patch Information

The Drupal Security Team addressed the Missing Authorization flaw in Facets 2.0.10 and 3.0.1. Patch details and download links are available in the Drupal Security Advisory 2025-099. Administrators should apply the update using standard Drupal module update procedures and clear caches after deployment.

Workarounds

  • Disable the Facets module on public-facing sites until patching is complete.
  • Restrict access to facet-enabled search pages using Drupal role-based permissions or web server ACLs.
  • Deploy WAF rules that require authenticated sessions before serving requests containing facet query parameters.
bash
# Update Facets module via Composer to the patched release
composer require 'drupal/facets:^2.0.10' --update-with-dependencies
# Or for the 3.x branch
composer require 'drupal/facets:^3.0.1' --update-with-dependencies

# Apply database updates and clear caches
drush updatedb -y
drush cache:rebuild

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.