DRUPAL-CONTRIB-2025-004

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2025-004.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-004

Aliases

CVE-2025-31678
GHSA-c8q6-wp7v-46r9

Published

2025-01-22T16:50:12Z

Modified

2025-12-10T23:41:13.011541Z

Summary

[none]

Details

The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes.

The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged.

This vulnerability is mitigated by the fact that it only affects sites using the AI Logging sub-module with 'Log requests' enabled in the AI Logging configuration page.

References

https://www.drupal.org/sa-contrib-2025-004

Credits

- Mingsong
- - https://www.drupal.org/user/2986445

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai

Package

Name: drupal/ai
Purl: pkg:composer/drupal/ai

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.3

Database specific

{
    "constraint": "<1.0.3"
}

Database specific

affected_versions

"<1.0.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2025-004.json"