The file download facility doesn’t sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
This advisory is covered by Drupal Steward.
We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.
Drupal 7
All Drupal 7 sites on Windows web servers are vulnerable.
Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.
Drupal 9 and 10
Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.8.
If you are using Drupal 9.5, update to Drupal 9.5.8.
If you are using Drupal 9.4, update to Drupal 9.4.14.
If you are using Drupal 7, update to Drupal 7.96.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Heine of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
David Rothstein of the Drupal Security Team
xjm of the Drupal Security Team
Wim Leers
Damien McKenna of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Conrad Lara
Peter Wolanin of the Drupal Security Team
Drew Webber of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Juraj Nemec, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long of the Drupal Security Team
Kim Pepper
Alex Pott of the Drupal Security Team
Neil Drumm of the Drupal Security Team
More Stories
USN-7169-5: Linux kernel (Real-time) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
stb-0^20241002git31707d1-4.el9
FEDORA-EPEL-2025-75d8605b8c Packages in this update: stb-0^20241002git31707d1-4.el9 Update description: Add another patch for the root cause of CVE-2021-45340. We already have...
stb-0^20241002git31707d1-5.el10_0
FEDORA-EPEL-2025-93a1152ae1 Packages in this update: stb-0^20241002git31707d1-5.el10_0 Update description: Add another patch for the root cause of CVE-2021-45340. We already have...
stb-0^20241002git31707d1-4.fc40
FEDORA-2025-49e8952aab Packages in this update: stb-0^20241002git31707d1-4.fc40 Update description: Add another patch for the root cause of CVE-2021-45340. We already have...
ZDI-25-026: Mintty Path Conversion Improper Input Validation Information Disclosure Vulnerability
This vulnerability allows remote attackers to relay NTLM credentials on affected installations of Mintty. User interaction is required to exploit...
Ivanti Connect Secure Zero-Day Vulnerability
What are the Vulnerabilities?Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an...