By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-31675

Cross-Site Scripting
Affects
Link
in
Drupal 7
No items found.
Versions
>=7.1.0 <=7.1.12
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Link module in Drupal core provides secure link construction to the system.

The exploit was also found in versions of the Link module used by Drupal 7.

The fix provided by HeroDevs introduces the AttributeXss class, which parses attribute strings into arrays while skipping prohibited attributes and selectively stripping dangerous protocols from URI-like values unless the attribute is safe (e.g., title, class, or data-*). The sanitizeAttributes() method processes attribute arrays by reconstructing and filtering each key-value pair, ensuring only safe ones are retained before rendering, thus preventing malicious attributes from reaching the output.

A cross-site scripting (XSS) vulnerability allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing, and
  • Privilege escalation.

This issue affects all versions of Drupal 7 Link below 7.1.13 and is patched in Link NES version 7.1.14.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in all versions of the Link module lower than 7.13.

The exploit first described in Drupal 10 core (CVE-2025-31675) is a stored cross-site scripting (XSS) vulnerability affecting the Link field. Insufficient sanitization allows attackers with edit permissions—typically via web services, REST APIs, or custom/contrib modules—to inject malicious attributes into link render arrays. For instance, an attacker could add attributes like onmouseover="alert('XSS')" or style="javascript:alert('XSS')", which would be rendered in the HTML output. When a victim views or interacts with the link (e.g., hovering over it), the injected JavaScript executes in their browser context, potentially leading to session hijacking, data theft, or further attacks. This is mitigated if no link fields are used or if the Link module is disabled, and it requires attacker access to modify link attributes, making it moderately critical.

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Ensure only trusted users have access to APIs or the database through which a malicious link can be added.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Additional Resources

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2025-12848
CVE-2026-0749
CVE-2025-12848
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-31675
PROJECT Affected
Link
Versions Affected
>=7.1.0 <=7.1.12
NES Versions Affected
Published date
February 2, 2026
≈ Fix date
March 18, 2025
Fixed in
NES for Drupal 7
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.