Drupal 8 core RESTful Web Services RCE

Rejah Rehim
Published on
16 Jun 2021

The CVE-2019–6340 remote code execution flaw in Drupal 8’s REST API module affects websites that use the Drupal REST API option. This vulnerability occurs when some other web services module is allowed on the server, such as JSON-API in Drupal 8 or REST services in Drupal 7, or when the Drupal 8 core RESTful API Services module is enabled on the site, enabling users to send GET, PATCH, and POST requests to the server. Despite the fact that the PATCH method is disabled, a GET request is enough to cause the code execution flaw. By sending a malicious GET request to the /node/id API endpoint with a serialized payload, an attacker can take over control of the vulnerable Drupal website (command to execute in server).

Mitigation / Precaution

  • It is advised to upgrade Drupal to the most recent versions with security patches, such as versions 8.6.10 and 8.5.11.
  • If you are using Drupal 7, upgrade all modules.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment