CVE-2025-31695 is a Cross-Site Scripting (XSS) vulnerability identified in the Drupal Link field display mode formatter component. This vulnerability arises due to improper neutralization of input during web page generation, specifically in the way the Link field display mode formatter processes and renders user-supplied input. The affected versions include all prior to 1.6.0, with the vulnerability present from version 0.0.0 up to but not including 1.6.0. The vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users. Exploitation requires user interaction, such as clicking a crafted link or visiting a maliciously crafted page, but does not require any authentication or elevated privileges. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The scope change indicates that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other parts of the Drupal application or connected systems. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability is classified under CWE-79, which is a common and well-understood category of XSS vulnerabilities. Given Drupal's widespread use as a content management system (CMS) for websites, this vulnerability could be leveraged to execute arbitrary JavaScript in the context of affected websites, leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations, the impact of CVE-2025-31695 can be significant, especially for those relying on Drupal-powered websites for public-facing portals, e-commerce, or internal applications. Successful exploitation could lead to theft of user credentials, session tokens, or other sensitive information, undermining user trust and potentially violating data protection regulations such as the GDPR. The scope change in the vulnerability suggests that the impact could extend beyond a single component, potentially affecting multiple modules or integrated systems. This could result in broader compromise or data leakage. Additionally, organizations in sectors such as government, finance, healthcare, and critical infrastructure, which often use Drupal for their web presence, may face reputational damage and operational disruptions. While availability is not directly impacted, the indirect consequences of compromised integrity and confidentiality could lead to downtime or costly incident response efforts. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the exploit, increasing the risk to end users and employees. Overall, the vulnerability poses a medium risk but should be addressed promptly to prevent exploitation and compliance issues.

1. Immediate review and upgrade: Organizations should identify all Drupal instances using the Link field display mode formatter and upgrade to version 1.6.0 or later as soon as it becomes available. If no patch is currently released, consider applying temporary mitigations such as disabling or restricting the use of the vulnerable Link field display mode formatter. 2. Input validation and sanitization: Implement additional server-side input validation and output encoding for any user-supplied data rendered via the Link field display mode formatter to reduce the risk of XSS. 3. Content Security Policy (CSP): Deploy a strict CSP header to limit the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. User awareness and phishing defenses: Educate users about the risks of clicking untrusted links and implement email filtering and anti-phishing technologies to reduce the likelihood of successful social engineering. 5. Web Application Firewall (WAF): Configure WAF rules to detect and block common XSS payloads targeting Drupal sites, focusing on the vulnerable component's request patterns. 6. Monitoring and logging: Enhance logging of web requests and monitor for unusual activity or indicators of attempted exploitation, enabling rapid detection and response. 7. Segmentation and least privilege: Limit the exposure of Drupal administrative interfaces and sensitive user data by network segmentation and applying least privilege principles to reduce potential damage from exploitation.