CVE-2025-31674: 
PHP vulnerability analysis and mitigation

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2025-31674) was discovered in Drupal core, allowing Object Injection. The vulnerability affects Drupal core versions from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, and from 11.1.0 before 11.1.3. The issue was disclosed on March 31, 2025 (NVD).

The vulnerability is classified as an Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) issue. According to the CVSS v3.1 scoring by CISA-ADP, the vulnerability has received a High severity score of 7.5 with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to perform object injection attacks, potentially leading to high impacts on confidentiality, integrity, and availability of the affected system. The CVSS scoring indicates that successful exploitation could result in complete compromise of system confidentiality, integrity, and availability (NVD).

Users should upgrade to the following fixed versions: Drupal 10.3.13 or later if running 10.3.x, Drupal 10.4.3 or later if running 10.4.x, Drupal 11.0.12 or later if running 11.0.x, or Drupal 11.1.3 or later if running 11.1.x (NVD).