ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031

Project:

ECA: Event - Condition - Action

Date:

2025-April-09

Security risk:

Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site request forgery

Affected versions:

<1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*

CVE IDs:

CVE-2025-3131

Description:

This module enables you to define automations on your Drupal site.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability can be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.

Solution:

Install the latest version:

If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 or ECA 2.0.16 or ECA 2.1.7

Reported By:

Juraj Nemec (poker10) of the Drupal Security Team

Fixed By:

Benji Fisher (benjifisher) of the Drupal Security Team
Jürgen Haas (jurgenhaas)
Lee Rowlands (larowlan) of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community