Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10813

drupal/core is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted DataCVE-2025-13081 Published Nov 17, 2025

60

Medium Risk

This Affects:

PHPdrupal/core
8.0.0 - 10.4.8
Fixed in 10.4.9
10.5.0 - 10.5.5
Fixed in 10.5.6
11.0.0 - 11.1.8
Fixed in 11.1.9
11.2.0 - 11.2.7
Fixed in 11.2.8
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Deserialization of Untrusted Data: a gadget chain in Drupal core can be leveraged if the application deserializes attacker-controlled data. The chain itself is not directly exploitable but can enable remote code execution when a separate vulnerability allows unsafe input to reach unserialize(). There are no known exploits in Drupal core.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/core is vulnerable to Deserialization of Untrusted Data in versions 8.0.0 - 10.4.8, 10.5.0 - 10.5.5, 11.0.0 - 11.1.8 and 11.2.0 - 11.2.7.

How to fix this

Upgrade the drupal/core library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done