Drupal REST Remote Code Execution
Description
Drupal versions 7.x and 8.x contain a remote code execution vulnerability when web services modules are enabled. The vulnerability exists because certain field types fail to properly sanitize data received from non-form sources, such as REST API requests. This allows attackers to inject and execute arbitrary PHP code on the server.
A Drupal site is vulnerable if any of the following conditions are met:
- Drupal 8 core RESTful Web Services (rest) module is enabled and accepts GET, PATCH, or POST requests
- JSON:API module is enabled (Drupal 8)
- Services or RESTful Web Services modules are enabled (Drupal 7)
Note: The REST module is disabled by default in Drupal installations.
Remediation
Apply the appropriate security updates immediately based on your Drupal version:
For Drupal 8:
- If running Drupal 8.6.x: Upgrade to Drupal 8.6.10 or later
- If running Drupal 8.5.x or earlier: Upgrade to Drupal 8.5.11 or later
For Drupal 7:
- No core update is required, but update all contributed web services modules (Services, RESTful Web Services) to their latest versions
Additional steps:
- After updating Drupal core, immediately update all contributed modules and themes
- Review and disable any unnecessary web services modules if they are not required for your site's functionality
- Implement web application firewall (WAF) rules to filter malicious REST API requests
- Monitor server logs for suspicious API activity or unexpected PHP execution attempts
Refer to the official Drupal security advisory SA-CORE-2019-003 for complete update instructions and additional security guidance.