AIKIDO-2025-10589
drupal/protected_pages is vulnerable to Improper Restriction of Excessive Authentication Attempts
63
Medium Risk
This Affects:
drupal/protected_pagesTL;DR
Affected versions of this package are vulnerable to a Brute Force Attack due to a lack of rate-limiting on password attempts for protected pages; this security flaw allows an attacker to systematically guess passwords an unlimited number of times, but successful exploitation is contingent upon the attacker first discovering or guessing the precise URL of the protected page they wish to target.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
drupal/protected_pages is vulnerable to Improper Restriction of Excessive Authentication Attempts in versions 1.0.0 - 1.7.0.
How to fix this
If you use the Protected Pages module for Drupal 8.x, upgrade the drupal/protected_pages library to the patch version.
Links
drupal.org/sa-contrib-2025-101d7es.tag1.com/security-advisories/protected-pages-moderately-critical-access-bypass-sa-contrib-2025-101docs.herodevs.com/drupal/release-notes/protected-pages
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant