AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

Project:

AI (Artificial Intelligence)

Date:

2025-March-05

Security risk:

Critical 15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

Vulnerability:

Remote Code Execution

Affected versions:

<1.0.5

CVE IDs:

CVE-2025-31692

Description:

The AI Automators module (a submodule of AI) enables you to create different automated tasks that fills out field data using LLM outputs.

The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrary commands.

The vulnerability exists in optional Automator Types which are part of the optional AI Automators (sub)module.

The AI module is included in Drupal CMS.

Solution:

Install the latest version:

If you use the AI module for Drupal, upgrade to AI 1.0.5

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Marcus Johansson (marcus_johansson)
Drew Webber (mcdruid) of the Drupal Security Team
Michal Gow (seogow)

Coordinated By:

Drew Webber (mcdruid) of the Drupal Security Team

Contribution record

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community