Drupal’s JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
This vulnerability is mitigated by three factors:
The JSON:API or REST File upload modules must be enabled on the site.
An attacker must have access to a file upload via JSON:API or REST.
The site must employ a file validation module.
This advisory is not covered by Drupal Steward.
Also see GraphQL – Moderately critical – Access bypass – SA-CONTRIB-2021-029 which addresses a similar vulnerability for that module.
Install the latest version:
If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core is not affected.
Lee Rowlands of the Drupal Security Team
Alex Pott of the Drupal Security Team
Jess of the Drupal Security Team
Samuel Mortenson
Drew Webber of the Drupal Security Team
Kim Pepper
More Stories
USN-7555-3: Django vulnerability
USN-7555-1 fixed a vulnerability in Django. This update provides an additional fix for Ubuntu 18.04 LTS. Original advisory details: It...
spdlog-1.14.1-4.fc41
FEDORA-2025-7d5c7fe0c7 Packages in this update: spdlog-1.14.1-4.fc41 Update description: Backported the upstream CVE-2025-6140 fix. Read More
dotnet8.0-8.0.117-1.fc41
FEDORA-2025-433fb98ceb Packages in this update: dotnet8.0-8.0.117-1.fc41 Update description: This is the June 2025 monthly update for .NET 8. Release Notes:...
dotnet8.0-8.0.117-1.fc42
FEDORA-2025-fa1fdd193f Packages in this update: dotnet8.0-8.0.117-1.fc42 Update description: This is the June 2025 monthly update for .NET 8. Release Notes:...
USN-7571-1: c3p0 vulnerability
Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the...
python-setuptools-69.2.0-10.fc41
FEDORA-2025-1746085e78 Packages in this update: python-setuptools-69.2.0-10.fc41 Update description: Security fix for CVE-2025-47273 Read More