DRUPAL-CONTRIB-2025-021

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2025-021.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-021

Aliases

CVE-2025-31692
GHSA-pwjq-fx3v-8f9r

Published

2025-03-05T17:18:25Z

Modified

2025-12-10T23:41:11.732598Z

Summary

[none]

Details

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.

The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.

The vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

References

https://www.drupal.org/sa-contrib-2025-021

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai

Package

Name: drupal/ai
Purl: pkg:composer/drupal/ai

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.5

Database specific

{
    "constraint": "<1.0.5"
}

Database specific

affected_versions

"<1.0.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2025-021.json"