Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015

Project

Drupal core

Date

November 12, 2025

Severity

Critical

Risk Score

Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default

Vulnerability

JavaScript prototype pollution

Affected versions

<7.104

Description

When successfully exploited, this vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype, which can affect all objects in the application. This release backports a fix from the Backdrop Module filter module in the jQuery BBQ library used by several popular modules, including Views, Overlay and Module Filter.

Of the usages inspected, only Overlay was found to be using BBQ in a vulnerable manner.

Solution

Upgrade to Drupal 7.104:

drupal-7.104.tar.gz
drupal-7.104.zip

Reported by

izmeez

Fixed by

Tag1 D7ES and Yii community

Coordinated by

Tag1 D7ES