CVE-2025-13984 is a security vulnerability classified under CWE-942, indicating a permissive cross-domain security policy involving untrusted domains within Drupal's Next.js integration. The vulnerability arises because the affected versions of Next.js (from 0.0.0 before 1.6.4 and from 2.0.0 before 2.0.1) allow overly broad cross-origin permissions, which can be exploited to perform Cross-Site Scripting (XSS) attacks. XSS vulnerabilities enable attackers to inject malicious scripts into web pages viewed by other users, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of the victim. The root cause is the misconfiguration or design flaw in the cross-domain security policy that fails to restrict which domains can interact with the application, thus trusting unverified external domains. Although no known exploits have been reported in the wild, the vulnerability is publicly disclosed and poses a significant risk to applications using these Next.js versions integrated with Drupal. The absence of an official patch at the time of disclosure means organizations must proactively implement mitigations. The vulnerability primarily impacts the confidentiality and integrity of user data and can lead to further exploitation if chained with other vulnerabilities. The issue is particularly critical for web applications that handle sensitive user information or authentication tokens. The technical details confirm the vulnerability was reserved in December 2025 and published in January 2026, but no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2025-13984 can be substantial, especially for those relying on Drupal with Next.js for their web platforms. Successful exploitation of this XSS vulnerability can lead to theft of user credentials, session hijacking, defacement of websites, and distribution of malware to users. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and cause financial losses. Public sector entities, e-commerce platforms, and service providers are particularly vulnerable due to their high user interaction and sensitive data processing. Additionally, the exploitation could be used as a foothold for more advanced attacks, including lateral movement within networks. The lack of a patch increases the urgency for organizations to implement compensating controls. Given the widespread use of Drupal in Europe and the popularity of Next.js for modern web development, the scope of affected systems is broad, potentially impacting numerous sectors including government, finance, healthcare, and retail.

1. Immediately audit all Drupal-based web applications to identify usage of Next.js versions prior to 1.6.4 and 2.0.1. 2. Restrict cross-domain policies by explicitly specifying trusted domains and removing any wildcard or overly permissive entries in Content Security Policy (CSP) headers and CORS configurations. 3. Implement strict input validation and output encoding to prevent injection of malicious scripts. 4. Monitor web application logs and user reports for signs of XSS exploitation attempts or unusual script execution. 5. Employ Web Application Firewalls (WAFs) with updated rules to detect and block XSS payloads targeting this vulnerability. 6. Engage with Drupal and Next.js communities to track patch releases and apply updates promptly once available. 7. Educate developers and administrators on secure cross-domain policy configurations and the risks of permissive settings. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and mitigate attacks in real-time. 9. Conduct regular security assessments and penetration tests focusing on cross-domain interactions and script injection vectors.