Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

Project:

Date:

2025-May-14

Security risk:

Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability:

Denial of Service

Affected versions:

<3.1.11 || >=4.0.0 <4.0.2

CVE IDs:

CVE-2025-4416

Description:

The Events Log Track module enables you to log specific events on a Drupal site.

The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack.

Solution:

Install the latest version:

If you use the event_log_track_auth_user_login_validate sub-module for Drupal 10.x or 11.x, upgrade to events_log_track 4.0.2 or events_log_track 3.1.11

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.