By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-13083

Information Exposure
Affects
Drupal core
in
Drupal 7
No items found.
Versions
>=7.0 <=7.103
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

This issue is an information disclosure risk caused by missing Cache-Control headers on private file downloads. When responses are not explicitly marked as private or no-store, browsers or intermediary caches may store sensitive content. An attacker who can access a cached response (for example, via a shared workstation, proxy, or browser history) may be able to view content that should only be available to authenticated users.

Information exposure, often referred to as information disclosure or sensitive data exposure, is a high-severity vulnerability where applications inadvertently reveal confidential or useful details to unauthorized parties due to inadequate protections, such as weak cryptography, misconfigurations, or flawed access controls. According to OWASP, this can stem from transmitting data in clear text, using outdated cryptographic algorithms, improper key management, or failing to sanitize error messages and responses, allowing attackers to intercept, infer, or directly access information like configurations, server details, user credentials, or API keys. It aligns with OWASP Top 10 categories including A01:2021 – Broken Access Control (ranked first) and A05:2021 – Security Misconfiguration (ranked fifth), as well as evolving from the 2017 A3: Sensitive Data Exposure, now encompassed in A02:2021 – Cryptographic Failures (ranked second). Attackers exploit this through techniques like network sniffing, analyzing error outputs, or leveraging misconfigured endpoints, potentially leading to escalated attacks.

Ramifications include:

  • Data breaches
  • Identity theft
  • Financial losses
  • Further exploits
  • Legal penalties, and
  • Reputational damage.

This issue affects all versions of Drupal 7 equal to or lower than 7.103 and is patched in Drupal 7 NES version 7.103.12.

Details

Module Info

Vulnerability Info

This low-severity vulnerability is found in all versions of Drupal 7 equal to or lower than 7.103.

If a module doesn’t set Cache-Control, the core now defaults to private (or public only for explicitly configured public schemes via file_additional_public_schemes).

Steps To Reproduce

  1. Set up a version of Drupal 7 in which the exploit is present (<= 7.103). Ensure the private file system is configured (ensure the directory exists and is writable by the web server user).
  2. Go to Admin > Structure > Content types > Add content type and add a File field. Set its storage destination to Private files.
  3. Create a node with a private file attachment that is restricted to authenticated users.
  4. Log in as an authenticated user and open the file by clicking the attachment (confirm it downloads successfully).
  5. Inspect the response headers for the download (use the dev tools in the browser or curl -I on the file URL) and confirm no Cache-Control header is present.
  6. Log out and revisit the file URL via browser history/back or reload.
  7. Observe the file can be served from cache (e.g., “from disk cache” in DevTools), despite lack of permission.

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Add web server rules for private file paths to force Cache-Control: private, no-store and Pragma: no-cache (e.g., on system/files or your private scheme route).
  • Configure reverse proxies/CDNs to bypass caching for authenticated requests and for private file endpoints.
  • Require authentication for any file downloads that could include sensitive data; ensure access checks are enforced before returning headers.
  • However, the above may not deter determined attackers and have trade-offs. Consider signing up for post-EOL security support; HeroDevs customers get immediate access to a patched version of Drupal 7 core.

Credits

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2026-0749
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
CVE-2025-13083
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-13083
PROJECT Affected
Drupal core
Versions Affected
>=7.0 <=7.103
NES Versions Affected
Published date
February 13, 2026
≈ Fix date
November 13, 2025
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
Category
Information Exposure
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.