Facets up to 2.0.9/3.0.0 on Drupal authorization

Summaryinfo

A vulnerability has been found in Facets up to 2.0.9/3.0.0 on Drupal and classified as critical. This affects an unknown part. This manipulation causes authorization. This vulnerability is tracked as CVE-2025-9549. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Facets up to 2.0.9/3.0.0 on Drupal. It has been declared as critical. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Missing Authorization vulnerability in Drupal Facets allows Forceful Browsing.This issue affects Facets: from 0.0.0 before 2.0.10, from 3.0.0 before 3.0.1.

The weakness was disclosed by Damien Mckenna as sa-contrib-2025-099. It is possible to read the advisory at drupal.org. This vulnerability is known as CVE-2025-9549 since 08/27/2025. The exploitation appears to be easy. The attack can be launched remotely. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 2.0.10 or 3.0.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-33791). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Name

• Facets

Version

• 2.0.0
• 2.0.1
• 2.0.2
• 2.0.3
• 2.0.4
• 2.0.5
• 2.0.6
• 2.0.7
• 2.0.8
• 2.0.9
• 3.0

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion