Inside "Anemone": How the Drupal Security Team Handled a Core XSS Vulnerability
In her blog post, Jess (xjm) reveals the backstory of SA-CORE-2025-004, a Drupal core security advisory addressing a cross-site scripting (XSS) vulnerability in the Link module. Internally dubbed "Anemone," the flaw stemmed from improper sanitization of the options property in link fields. The team faced two key challenges: ensuring the core fix didn't break over 60 contributed modules and identifying which of those were also vulnerable.
The solution—led by longwave and implemented by larowlan—involved enhancing sanitisation logic without modifying shared APIs in a security release. This required duplicating and adjusting XSS-related code specifically for the advisory, with plans to refactor post-release. Jess explains how the five contributed modules required individual attention, with three receiving separate advisories. The disclosure was coordinated and published alongside three contrib advisories on March 19, 2025.
The post highlights a meticulous process involving code duplication, API strategy, and ecosystem audits.
ASK: Drupal Community Needs Your Support
View all →
Disclosure: This content is produced with the assistance of AI.
Disclaimer: The opinions expressed in this story do not necessarily represent that of TheDropTimes. We regularly share third-party blog posts that feature Drupal in good faith. TDT recommends Reader's discretion while consuming such content, as the veracity/authenticity of the story depends on the blogger and their motives.
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
Related People
You may also like
