CVE-2025-31128
gifplayer XSS vulnerability
Description
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses [GifPlayer jQuery library](https://github.com/rubentd/gifplayer) to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks. This vulnerability is mitigated by the fact that an attacker would need to have an account on the website and be able to create an image tag with a data-label element. There are no fields that allow that element on a default Drupal site for a user with user-level permissions.
How to fix CVE-2025-31128
To remediate CVE-2025-31128, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.7 or later
- —upgrade to 1.5.0 or later
Is CVE-2025-31128 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.3.7
- from 0, < 1.5.0 | >= 2.0.1, < 2.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |