[Security-news] File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089
security-news at drupal.org
security-news at drupal.org
Wed Jul 16 16:46:09 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-089
Project: File Download [1]
Date: 2025-July-16
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.9.0 || >=2.0.0 <2.0.1
CVE IDs: CVE-2025-7717
Description:
The File Download enables you to allow users to download file and image
entities directly using a custom field formatter. It also provides an
optional submodule to count and display file downloads in Views, similar to
how the core statistics module tracks content views.
The File Download module does not properly validate input when handling file
access requests. This can allow users to bypass protections and access
private files that should not be publicly available.
Solution:
Install the latest version:
* If you use the File Download module for Drupal 8.x, upgrade to File
Download 2.0.1 [3] or File Download 8.x-1.9 [4].
Reported By:
* Willem Drupal enthousiast (willempje2) [5]
Fixed By:
* Shelane French (shelane) [6]
* Willem Drupal enthousiast (willempje2) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Jess (xjm) [10] of the Drupal Security Team
[1] https://www.drupal.org/project/file_download
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_download/releases/2.0.1
[4] https://www.drupal.org/project/file_download/releases/8.x-1.9
[5] https://www.drupal.org/u/willempje2
[6] https://www.drupal.org/u/shelane
[7] https://www.drupal.org/u/willempje2
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/xjm
More information about the Security-news
mailing list