CVE-2025-31691: Drupal OAuth2 Server Missing Authorization vulnerability

April 1, 2025 (updated April 29, 2025)

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

References

git.drupalcode.org/project/oauth2_server
github.com/advisories/GHSA-4f8q-mwgc-3mwc
nvd.nist.gov/vuln/detail/CVE-2025-31691
www.drupal.org/sa-contrib-2025-020

Code Behaviors & Features

Detect and mitigate CVE-2025-31691 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →