CVE-2025-13984 is a vulnerability classified under CWE-942, indicating a permissive cross-domain security policy that includes untrusted domains within Drupal's Next.js integration. This vulnerability arises when the security policy governing cross-origin resource sharing or content security policies is configured too permissively, allowing domains that should not be trusted to interact with the web application. Specifically, this flaw enables Cross-Site Scripting (XSS) attacks, where an attacker can inject malicious scripts that execute in the context of the vulnerable site. The affected versions of Next.js are from initial releases (0.0.0) up to but not including 1.6.4, and from 2.0.0 up to but not including 2.0.1. The vulnerability does not require any privileges or authentication to exploit, but it does require user interaction, such as clicking a malicious link or visiting a crafted webpage. The CVSS 3.1 score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. The vulnerability's scope is changed, meaning the attack can affect resources beyond the vulnerable component. No patches are explicitly linked in the provided data, but upgrading to versions 1.6.4 or 2.0.1 and later is implied to remediate the issue. No known exploits have been reported in the wild, but the risk remains significant due to the nature of XSS attacks and their potential to steal session tokens, deface websites, or redirect users to malicious sites.

For European organizations, this vulnerability poses a risk primarily to web applications built using Drupal integrated with affected versions of Next.js. Successful exploitation can lead to unauthorized script execution, potentially compromising user session tokens, personal data, or enabling phishing attacks through manipulated content. This can result in confidentiality breaches and integrity violations, undermining user trust and potentially violating GDPR requirements for data protection. While availability is not directly impacted, the reputational damage and regulatory consequences could be significant. Organizations in sectors with high web presence such as e-commerce, government portals, and financial services are particularly at risk. The vulnerability's exploitation does not require authentication, increasing the attack surface. Given the widespread use of Drupal and Next.js in Europe, especially in countries with strong digital economies, the impact could be broad if unpatched systems remain in production.

European organizations should immediately identify any Drupal installations using affected Next.js versions (prior to 1.6.4 and 2.0.1). The primary mitigation is to upgrade Next.js to version 1.6.4 or later, or 2.0.1 or later, where the vulnerability is resolved. If immediate upgrading is not feasible, organizations should review and tighten cross-domain security policies, including Content Security Policy (CSP) headers, to restrict allowed domains explicitly and avoid wildcard or overly permissive settings. Implementing strict input validation and output encoding can reduce the risk of XSS exploitation. Additionally, employing web application firewalls (WAFs) with rules targeting XSS patterns can provide temporary protection. Regular security audits and penetration testing focusing on cross-domain policies and XSS vectors are recommended. User awareness training to recognize phishing and suspicious links can help mitigate user interaction risks. Monitoring for unusual script execution or anomalous web traffic may help detect exploitation attempts early.