DRUPAL-CONTRIB-2025-017

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/config_split/DRUPAL-CONTRIB-2025-017.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-017

Aliases

CVE-2025-31688
GHSA-qq45-cqhg-jwx5

Published

2025-02-12T17:38:22Z

Modified

2025-12-10T23:40:59.564506Z

Summary

[none]

Details

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.

This vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it.
The status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.

References

https://www.drupal.org/sa-contrib-2025-017

Credits

- Eric Smith (ericgsmith)
- - https://www.drupal.org/u/ericgsmith

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/config_split

Package

Name: drupal/config_split
Purl: pkg:composer/drupal/config_split

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.10.0

Database specific

{
    "constraint": "<1.10.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.2

Database specific

{
    "constraint": ">=2.0.0 <2.0.2"
}

Database specific

affected_versions

"<1.10.0 || >=2.0.0 <2.0.2"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/config_split/DRUPAL-CONTRIB-2025-017.json"