Four Moderately Critical Vulnerabilities Patched in Drupal Core

One advisory (SA-CORE-2025-005) addresses a Denial of Service risk where a rarely used feature, tied to an underlying HTTP library, can override certain request attributes. This can poison cache entries and lead to malformed or incorrect page rendering. Drupal core has been updated to harden against this issue while upstream changes are pending.

Another issue (SA-CORE-2025-006) involves a gadget chain that is not directly exploitable but could allow remote code execution if another insecure deserialization vulnerability is present. While no such exploits exist in Drupal core currently, the chain has been mitigated preemptively.

A third vulnerability (SA-CORE-2025-007) enables temporary site defacement via specially crafted URLs. These URLs cause transient alterations to site appearance, but the defacement is not persistent and does not expose underlying content.

The final advisory (SA-CORE-2025-008) describes an information disclosure scenario involving cached private files. If custom or contributed modules define additional file schemes, and these files are accessed by privileged users and then cached, subsequent access by others may reveal data they should not see. This issue is configuration-dependent and has been addressed in the patch.

All four issues affect Drupal core versions from 8.0.0 through recent 11.2.x releases. Recommended updates include versions 10.4.9, 10.5.6, 11.1.9, and 11.2.8. Older branches, including 10.3.x and 11.0.x, are end-of-life and not covered by these security releases.