DRUPAL-CONTRIB-2025-035

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/stage_file_proxy/DRUPAL-CONTRIB-2025-035.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-035

Aliases

CVE-2025-3734

Published

2025-04-16T16:25:12Z

Modified

2025-12-10T23:41:32.476342Z

Summary

[none]

Details

Stage File Proxy is a general solution for getting production files on a development server on demand.

The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.

This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.

References

https://www.drupal.org/sa-contrib-2025-035

Credits

- Ide Braakman (idebr)
- - https://www.drupal.org/u/idebr

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/stage_file_proxy

Package

Name: drupal/stage_file_proxy
Purl: pkg:composer/drupal/stage_file_proxy

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.5

Database specific

{
    "constraint": "<3.1.5"
}

Database specific

affected_versions

"<3.1.5"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/stage_file_proxy/DRUPAL-CONTRIB-2025-035.json"