RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025 | Drupal.org

RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025 | Drupal.org
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025
Project:
RapiDoc OAS Field Formatter
Date:
2025-March-19
Security risk:
Moderately critical
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability:
Cross site scripting
Affected versions:
<1.0.1
CVE IDs:
CVE-2025-31696
Description:
This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields.
Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability (XSS).
A separate fix for Drupal core has been released but this module requires a concurrent release to make use of the Drupal core fix.
This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit access via core web services, or a contrib or custom module.
Solution:
Install the latest version:
If you use the RapiDoc OAS Field Formatter module for Drupal 10, upgrade to
RapiDoc OAS Field Formatter 1.0.1
Upgrade to Drupal 10.3.14, 10.4.5, 11.0.13, or 11.1.5
Reported By:
Joseph Zhao (pandaski)
Provisional Member of the Drupal Security Team
Fixed By:
Arlina Espinoza Rhoton (arlina)
Benji Fisher (benjifisher)
of the Drupal Security Team
Lee Rowlands (larowlan)
of the Drupal Security Team
Coordinated By:
Bram Driesen (bramdriesen)
Provisional Member of the Drupal Security Team
Greg Knaddison (greggles)
of the Drupal Security Team
Drew Webber (mcdruid)
of the Drupal Security Team
Juraj Nemec (poker10)
of the Drupal Security Team
Contribution record
Contact and more information
The Drupal security team can be reached by email at security at drupal.org or
via the contact form
Learn more about
the Drupal Security team and their policies
writing secure code for Drupal
, and
securing your site
Follow the Drupal Security Team on
Bluesky
, or
Mastodon
or
Contributing organizations for this advisory
PreviousNext
govCMS (Australian Government Department of Finance)
Chapter Three (acquired by Kanopi Studios)
Colorado Governor's Office of Information Technology - Colorado Digital Service
Acquia
ActivIT s.r.o.
Sopra Steria
The security team is made up of volunteers around the world. The companies above have sponsored time on this release.
Infrastructure management for Drupal.org provided by
Need a Drupal 7 extended support partner? Consider Tag1.
News items
News
Planet Drupal
Social media
Sign up for Drupal news
Security advisories
Jobs
Our community
Community
Services
Training
Hosting
Contributor guide
Groups & meetups
DrupalCon
Code of conduct
Documentation
Documentation
Drupal Guide
Drupal User Guide
Developer docs
API.Drupal.org
Drupal code base
Download & Extend
Drupal core
Modules
Themes
Distributions
Governance of community
About
Web accessibility
Drupal Association
About Drupal.org
Drupal is a
registered trademark
of
Dries Buytaert