CVE CyberSecurity Database News

CVE-2022-25278 - How Drupal's Form API Access Checks Can Fail and Why Your Custom Forms Are At Risk

Poster -

Security flaws in powerful frameworks like Drupal are always attention-grabbers, especially when the bug is subtle and can lurk in custom code. CVE-2022-25278, a vulnerability in Drupal’s Form API, is just such a case. Although no core forms are directly affected, the risk to custom modules or contributed forms is something every Drupal developer should understand deeply.

In this post, we’ll break down what CVE-2022-25278 is, how it happens, and what the real-world exploitability looks like (plus a code snipplet so you can check your own modules). We’ll make it easy to follow, avoiding deep jargon but giving you the details you need. And as always: patch, review, and stay informed!

What is CVE-2022-25278?

CVE-2022-25278 identifies a bug in how Drupal’s form API (FAPI) determines if users are allowed to alter data, especially in contributed or custom forms. The issue: under certain situations, the 'access' property for form elements can be incorrectly checked by the API, accidentally granting users more privileges than intended.

The upshot: Users could potentially alter data they shouldn't be allowed to—if your site uses custom forms with misconfigured access checks.

Official Drupal security advisory:  
🔗 Drupal SA-CORE-2022-005

NVD record:  
🔗 CVE-2022-25278 at NVD

How Does It Happen?

Drupal forms are defined as hierarchical arrays with metadata for each form element, including an 'access' key (boolean or callback) used to determine whether a user can see or interact with an element.

A simplified form definition might look like this

$form['example_field'] = [
  '#type' => 'textfield',
  '#title' => t('Sensitive Field'),
  '#access' => user_access('administer sensitive data'), // Should only show to admins
];

The bug occurs when forms are altered by other modules or themes—especially when those alterations do not take care to preserve or properly set the 'access' property. In specific circumstances, Drupal’s API may fail to re-evaluate the access check, resulting in unwanted access.

When Are Forms Vulnerable?

- Custom or contributed forms that use dynamic logic for access checks and may be altered by other modules.
- Any form that relies on 'access' keys for security, especially if hooks like hook_form_alter() are in use.

Suppose you have a custom form where access to a field is restricted

$form['account_number'] = [
  '#type' => 'textfield',
  '#title' => t('Bank Account Number'),
  '#access' => in_array('finance manager', $user_roles), // Only finance managers can see
];

Now, if a contributed module alters this form and accidentally removes the 'access' condition or fails to reapply it, anyone could see and submit this field—without you realizing.

Attacker signs in as a regular user.

2. A custom, misconfigured form has a field with sensitive data, hidden using the 'access' key, but access was not re-evaluated after a form alter.
3. The attacker uses browser tools like modifying the HTML or intercepting requests to include the hidden form field in a submission.
4. Drupal’s backend processes the field anyway, because the form API did not correctly deny access on the backend, only on the frontend!

Result: The attacker can submit or even change data they were not supposed to, such as admin-only notes, hidden flags, or financial fields.

1. Update Drupal Core

Even though core forms aren’t vulnerable, always upgrade to the fixed Drupal versions. Here’s the release info:

Drupal 9.3.10 and 9.2.16

- Download the latest Drupal core

2. Audit Your Custom Code

If your themes or custom modules define forms using access logic, review them.

✅ Access checks are *always* applied on the backend, not just via hiding fields in the browser.

- ✅ Use Form API best practices for access.

Instead of only using '#access', validate on submit

function mymodule_form_submit($form, &$form_state) {
  // Double-check permission before processing.
  if (!user_access('do_sensitive_things')) {
    drupal_access_denied();
    return;
  }
  // Safe to handle sensitive data here...
}

References and Further Reading

- Drupal Security Advisory: SA-CORE-2022-005
- Drupal Form API Documentation
- NVD CVE-2022-25278 Details

Final Thoughts

CVE-2022-25278 serves as a reminder: *backend security cannot rely on frontend-only checks or form field visibility*. Always ensure that the backend strictly verifies user permissions. For Drupal site owners using contributed or custom forms, review your access logic on both render and submit. Stay patched, stay safe!

Questions or want to share your site-audit tips? Leave a comment below.

Timeline

Published on: 04/26/2023 15:15:00 UTC
Last modified on: 05/09/2023 01:38:00 UTC