Search for vulnerabilities
Vulnerability details: VCID-pat1-3f2g-nbf1
Vulnerability ID VCID-pat1-3f2g-nbf1
Aliases CVE-2022-25275
GHSA-xh3v-6f9j-wxw3
GMS-2022-3362
Summary Drupal core Information Disclosure vulnerability In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) `$config['image.settings']['allow_insecure_derivatives']` or (Drupal 7) `$conf['image_allow_insecure_derivatives']` to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-284 Improper Access Control
System Score Found at
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2022-25275
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xh3v-6f9j-wxw3
cvssv3.1 7.5 https://github.com/drupal/core
generic_textual HIGH https://github.com/drupal/core
cvssv3.1 7.5 https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
generic_textual HIGH https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
cvssv3.1 7.5 https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
generic_textual HIGH https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
cvssv3.1 7.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-25275
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-25275
cvssv3.1 7.5 https://www.drupal.org/sa-core-2022-012
generic_textual HIGH https://www.drupal.org/sa-core-2022-012
ssvc Track https://www.drupal.org/sa-core-2022-012
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-25275
https://github.com/drupal/core
https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
https://nvd.nist.gov/vuln/detail/CVE-2022-25275
https://www.drupal.org/sa-core-2022-012
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
GHSA-xh3v-6f9j-wxw3 https://github.com/advisories/GHSA-xh3v-6f9j-wxw3
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/drupal/core
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25275
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.drupal.org/sa-core-2022-012
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-03T18:45:46Z/ Found at https://www.drupal.org/sa-core-2022-012
Exploit Prediction Scoring System (EPSS)
Percentile 0.47964
EPSS Score 0.00247
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:03:22.506538+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-xh3v-6f9j-wxw3/GHSA-xh3v-6f9j-wxw3.json 37.0.0