CVE-2024-45440 in Drupal
Summary
by MITRE • 08/29/2024
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/31/2025
The vulnerability identified as CVE-2024-45440 affects Drupal 11.x-dev versions and represents a critical Full Path Disclosure (FPD) flaw within the core/authorize.php file. This vulnerability manifests when the system's hash_salt configuration contains a value derived from file_get_contents referencing a file that does not exist. The flaw operates independently of error logging settings, meaning that even when error reporting is disabled, the vulnerability remains exploitable. The core issue stems from Drupal's authorization mechanism failing to properly sanitize or validate file paths during the hash salt generation process, creating an unintended information disclosure channel.
The technical exploitation of this vulnerability occurs through the manipulation of the hash_salt configuration parameter in Drupal's settings. When Drupal attempts to process a file_get_contents call referencing a non-existent file, the system's error handling mechanism inadvertently reveals the absolute file path of the Drupal installation directory. This occurs because the PHP error handling process, even with error logging disabled, still outputs path information to the web server's error logs or directly to the HTTP response in certain configurations. The vulnerability specifically targets the authorization workflow where hash salts are generated, making it particularly dangerous as it can be triggered during administrative operations or authentication processes.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with critical system path information that can be leveraged for subsequent attacks. The disclosed paths can reveal the exact directory structure of the web server, potentially exposing sensitive information about the hosting environment and application deployment. This information can aid attackers in planning more sophisticated attacks such as local file inclusion exploits, directory traversal attempts, or other path-based vulnerabilities. The vulnerability is particularly concerning in production environments where such path information could be used to map the complete application architecture and identify potential attack vectors.
Security practitioners should implement immediate mitigations including verifying that hash_salt values in Drupal's settings.php file do not reference non-existent files through file_get_contents operations. The recommended approach involves either removing problematic hash_salt configurations or ensuring that any file references resolve to valid files. Additionally, organizations should review their error handling configurations and ensure that error messages are properly sanitized to prevent path disclosure. This vulnerability aligns with CWE-209, which addresses "Information Exposure Through an Error Message," and can be categorized under ATT&CK technique T1082 for system information discovery. The flaw demonstrates the importance of proper input validation and error handling in web applications, particularly in core authorization mechanisms where security implications are magnified. Organizations should also consider implementing web application firewalls and monitoring for suspicious patterns in error responses that might indicate exploitation attempts.