Executive Summary

CVE-2025-11570 is a Cross-site Scripting (XSS) vulnerability in the drupal-pattern-lab/unified-twig-extensions package. It occurs due to insufficient filtering and escaping of user input data, allowing malicious scripts to be injected and executed in users' browsers. This vulnerability is exploitable only if the code is executed outside of Drupal, as the affected function is intended to be shared between Drupal and Pattern Lab. The issue arises because example code included in the module does not adequately sanitize data, which can lead to XSS attacks if copied into a site's theme. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, exposure of sensitive information, unauthorized access, and malware delivery. The impact on confidentiality and integrity is low but present, while availability is not affected. Exploitation requires network access, low privileges, and user interaction. The risk is mitigated somewhat because exploitation requires the vulnerable example code to be copied into a site's theme and executed outside of Drupal. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable versions of the drupal-pattern-lab/unified-twig-extensions package and checking for unsanitized Twig template code that could lead to XSS. You can scan your codebase for instances of the vulnerable Twig function usage, such as searching for patterns like `{{ link('<script>alert(`XSS`);</script>', 'bar', '') }}` or other unsanitized inputs in Twig templates. Additionally, monitoring web traffic for reflected or stored XSS payloads may help detect exploitation attempts. Specific commands could include using grep or similar tools to search for suspicious Twig template code, for example: `grep -r '{{ link(' path/to/your/theme/` or scanning HTTP logs for suspicious script injection patterns. However, no explicit detection commands are provided in the resources. [2, 1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading to Unified Twig Extensions version 1.1.1 or later, where the vulnerability is fixed. If upgrading is not immediately possible, ensure that any example code from the vulnerable package is not copied into your site's theme, as exploitation requires such usage. Additionally, sanitize and validate all user inputs, escape special characters in templates, enforce Content Security Policies (CSP), disable client-side scripts where feasible, and review your Twig templates for unsafe code. Contacting the Drupal Security Team for further guidance is also recommended. [1, 2]

Useful 0 Not Useful 0