Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Project:

Quick Node Block

Date:

2025-May-21

Security risk:

Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

Affected versions:

<2.0.0

CVE IDs:

CVE-2025-48013

Description:

This module provides a block to easily display a rendered node.

Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node.

Solution:

Update to the latest version.

If you use the Quick Node Block module, update to Quick Node Block 2.0.1

Reported By:

Mitch Portier (arkener)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community