CVE-2025-13083 is a security vulnerability identified in Drupal core, spanning versions from 7.0 through multiple major releases up to 11.2.8. The issue arises from the improper use of web browser caching mechanisms that store sensitive information due to incorrectly configured access control security levels within Drupal. Specifically, sensitive data that should not be cached by browsers may be stored in the cache, potentially allowing unauthorized users with access to the client device or network to retrieve this information. The vulnerability is classified under CWE-525, which concerns the use of web browser cache containing sensitive data. The CVSS v3.1 base score is 3.7 (low), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the attack vector is network-based, requires high attack complexity, no privileges or user interaction, and impacts confidentiality only. No known exploits have been reported in the wild as of the publication date. The vulnerability affects Drupal core versions from 8.0.0 before 10.4.9, 10.5.0 before 10.5.6, 11.0.0 before 11.1.9, 11.2.0 before 11.2.8, and 7.0 before 7.103. The root cause is misconfiguration of access control settings that fail to prevent sensitive content from being cached by browsers, which can lead to unintended data exposure. The issue can be mitigated by applying patches in the fixed versions and ensuring proper cache-control headers and access control policies are enforced to prevent sensitive data caching.

For European organizations, this vulnerability primarily threatens the confidentiality of sensitive information processed or displayed by Drupal-based websites or applications. Organizations handling personal data, financial information, or confidential business data through Drupal platforms could inadvertently expose such data to unauthorized parties if browser caches are accessed by attackers or unauthorized users. This risk is heightened in environments where client devices are shared, compromised, or subject to network interception. Although the vulnerability does not affect data integrity or availability, the leakage of sensitive information could lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential legal consequences. The low CVSS score reflects the requirement for high attack complexity and no direct integrity or availability impact, but the widespread use of Drupal in Europe means the aggregate risk is non-negligible. Organizations with public-facing Drupal sites or intranet portals should prioritize patching and configuration reviews to mitigate this exposure.

1. Upgrade Drupal core to the fixed versions: at least 10.4.9, 10.5.6, 11.1.9, 11.2.8, or 7.103 depending on the version in use. 2. Review and enforce strict cache-control HTTP headers (e.g., Cache-Control: no-store, no-cache, private) on pages or API responses containing sensitive information to prevent browser caching. 3. Audit access control configurations within Drupal to ensure sensitive content is properly restricted and not inadvertently exposed to unauthorized users or cached. 4. Implement Content Security Policy (CSP) headers to reduce the risk of client-side data leakage. 5. Educate developers and administrators on secure caching practices and the risks of sensitive data caching. 6. Monitor web server and application logs for unusual access patterns that might indicate attempts to exploit cached data. 7. For highly sensitive environments, consider disabling browser caching entirely for authenticated or sensitive sessions. 8. Conduct regular security assessments and penetration testing focusing on caching and access control mechanisms.