Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-March-05
Security risk:
Vulnerability:
Access bypass
Affected versions:
<1.10.0
CVE IDs:
CVE-2025-31694
Description:
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.
This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.
Solution:
Install the latest version and run database updates:
- If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.10
- Run the database updates. See help documentation on how to run database updates.
TFA 8.x-1.10 will provide a status report error if it detects a known route is being bypassed.
Caution: TFA 8.x-1.10 will attempt to restore these routes to expected norms. This may disable routes added by other modules.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
