DRUPAL-CONTRIB-2025-122

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/next/DRUPAL-CONTRIB-2025-122.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-122

Aliases

CVE-2025-13984

Published

2025-12-03T18:49:18Z

Modified

2025-12-10T23:41:25.263244Z

Summary

[none]

Details

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

References

https://www.drupal.org/sa-contrib-2025-122

Credits

- Mike Decker (pookmish)
- - https://www.drupal.org/u/pookmish

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/next

Package

Name: drupal/next
Purl: pkg:composer/drupal/next

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.6.4

Database specific

{
    "constraint": "<1.6.4"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.1

Database specific

{
    "constraint": ">=2.0.0 <2.0.1"
}

Database specific

affected_versions

"<1.6.4 || >=2.0.0 <2.0.1"