CVE-2025-31696 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Drupal RapiDoc OAS Field Formatter module versions prior to 1.0.1, specifically from version 0.0.0 up to but not including 1.0.1. The vulnerability arises due to improper neutralization of input during web page generation, allowing malicious input to be injected and executed within the context of a user's browser. This flaw enables attackers to craft specially crafted payloads that, when rendered by the vulnerable Drupal module, execute arbitrary JavaScript code in the victim's browser. The CVSS v3.1 base score is 6.1 (medium severity), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicating that the attack can be launched remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction (e.g., clicking a malicious link). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity to a limited extent, with no impact on availability. No known exploits are currently in the wild, and no official patches have been linked yet. The vulnerability specifically targets the RapiDoc OAS Field Formatter, a Drupal module used to render OpenAPI Specification (OAS) documentation within Drupal sites, which is often used by organizations to document and expose APIs. Improper input sanitization during the rendering process allows injection of malicious scripts, which can lead to session hijacking, defacement, or redirection attacks when users interact with the affected pages.

For European organizations, this vulnerability poses a moderate risk primarily to web applications that utilize the Drupal RapiDoc OAS Field Formatter module to display API documentation. Exploitation could lead to theft of session tokens, user impersonation, or unauthorized actions performed in the context of the victim user. This is particularly concerning for organizations that expose sensitive API documentation internally or externally, such as government agencies, financial institutions, healthcare providers, and technology companies. The XSS vulnerability could be leveraged to target privileged users or administrators, potentially leading to further compromise of internal systems. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect multiple components or user sessions beyond the immediate vulnerable module, increasing the potential attack surface. Given the reliance on Drupal in many European public sector and enterprise environments, the impact could extend to data confidentiality breaches and erosion of trust in affected services. However, since exploitation requires user interaction and the impact on availability is none, the threat is less severe than vulnerabilities allowing remote code execution or denial of service. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the need for prompt remediation.

1. Immediate upgrade: Organizations should promptly update the RapiDoc OAS Field Formatter module to version 1.0.1 or later once it becomes available, as this will contain the necessary input sanitization fixes. 2. Input validation and output encoding: Until patches are applied, implement additional server-side input validation and strict output encoding policies for any user-supplied data rendered by the module. 3. Content Security Policy (CSP): Deploy a robust CSP header to restrict the execution of unauthorized scripts and mitigate the impact of XSS attacks. 4. User awareness: Educate users, especially administrators and developers, about the risks of clicking untrusted links or interacting with suspicious content related to API documentation. 5. Access controls: Restrict access to API documentation pages rendered by the RapiDoc module to trusted users only, using authentication and authorization mechanisms. 6. Web Application Firewall (WAF): Configure WAF rules to detect and block common XSS payloads targeting Drupal modules, including RapiDoc. 7. Monitoring and logging: Enable detailed logging of web requests and monitor for unusual activity or attempted exploitation patterns targeting the vulnerable module. 8. Review customizations: Audit any custom code or integrations with the RapiDoc module to ensure they do not introduce additional injection vectors.