Drupal core - Highly critical

Highly Critical - Remote Code Execution - Affects Drupal Version 7 and 8

Sun, 02/24/2019 - 14:26

Drupal Core Highly Critical Remote Code Execution SA-CORE-2019-003

Drupal Core Highly Critical Remote Code Execution was found by the Drupal Security Team, this is a Highly Critical Vulnerability, so it's really important that websites administrators fix their websites before hackers abuse the loophole.

The Vulnerability is a critical remote code execution (RCE) flaw in Drupal Core that could lead to arbitrary PHP code execution. According to the Drupal security team:

While the Drupal team hasn't released any technical details of the vulnerability (CVE-2019-6340), it mentioned that the flaw resides due to the fact that some field types do not properly sanitize data from non-form sources and affects Drupal 7 and 8 Core.

Drupal core Highly critical remote code execution


Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or

  • the site has another web services module enabled, like JSON:API in Drupal 8, or Servicesor RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)


  • 2019-02-20 - updated risk score given new information see PSA-2019-02-22, the security risk score has been updated to 21/25 as there are now known exploits. In addition any enabled REST resource end-point, even if it only accepts GET requests is also vulnerable. Note this does not include REST exports from Views module.


Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow GET/PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Mexico City

Today, March 23, 2019
Sunrise: 06:37
Sunset: 18:48


73 °F / 23 °C