Fluid Attacks Database

Description

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/next	>=0 <1.6.4 \|\| >=2.0.0 <2.0.1	1.6.4, 2.0.1

Aliases

1. CVE-2025-139842. NVD-2025-139843. OSV-DRUPAL-CONTRIB-2025-1224. OSV-2025-139845. GCVE-2025-139846. drupal.org

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.