General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Project:

Date:

2025-February-26

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Request Forgery

Affected versions:

<3.0.1 || >=3.1.0 <3.1.2

CVE IDs:

CVE-2025-31689

Description:

The GDPR Task submodule enables you to create GDPR tasks.

The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

Solution:

Install the latest version:

If you use the General Data Protection Regulation module 3.0.x, upgrade to 3.0.1
If you use the General Data Protection Regulation module 3.1.x, upgrade to 3.1.2

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.