The vulnerability CVE-2025-13947 in WebKitGTK involves a failure to verify that drag-and-drop file operations originate from outside the browser, which can be exploited by a remote attacker to disclose local files accessible to the user. This is a user-assisted information disclosure vulnerability with a CVSS 3.1 base score of 7.4 (high severity), indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and high confidentiality impact. Red Hat advisories RHSA-2025:22789 and RHSA-2025:22790 confirm the issue and provide updated webkit2gtk3 packages for Red Hat Enterprise Linux 8 and 9 respectively. These updates fix this vulnerability along with several other WebKitGTK security issues. The vendor advisory is the authoritative source for patch availability and remediation details.

Successful exploitation of this vulnerability allows a remote attacker to cause user-assisted disclosure of any file the user has permission to read by tricking the user into performing a drag-and-drop operation. This can lead to exposure of sensitive local files. There is no indication of privilege escalation, integrity, or availability impact from this vulnerability alone. The CVSS score of 7.4 reflects the high confidentiality impact and the requirement for user interaction.

Official patches are available from Red Hat for affected versions of webkit2gtk3 on Red Hat Enterprise Linux 8 and 9. Users and administrators should apply these security updates promptly to remediate the vulnerability. The vendor manages remediation through these package updates, and no additional mitigation steps are indicated in the advisory. Refer to Red Hat's security advisories RHSA-2025:22789 and RHSA-2025:22790 and the update instructions at https://access.redhat.com/articles/11258 for detailed patching guidance.