DRUPAL-CONTRIB-2025-119

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai/DRUPAL-CONTRIB-2025-119.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-119

Aliases

CVE-2025-13981

Published

2025-12-03T18:48:23Z

Modified

2025-12-10T23:41:33.083924Z

Summary

[none]

Details

This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.

The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.

References

https://www.drupal.org/sa-contrib-2025-119

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai

Package

Name: drupal/ai
Purl: pkg:composer/drupal/ai

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.7

Database specific

{
    "constraint": "<1.0.7"
}

Type

ECOSYSTEM

Events

Introduced

1.1.0

Fixed

1.1.7

Database specific

{
    "constraint": ">=1.1.0 <1.1.7"
}

Type

ECOSYSTEM

Events

Introduced

1.2.0

Fixed

1.2.4

Database specific

{
    "constraint": ">=1.2.0 <1.2.4"
}

Database specific

affected_versions

"<1.0.7 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.4"