"Ricochet was very impressive with their knowledge, abilities and professionalism. We never ran into a technological roadblock or problem that couldn't be solved. They were able to offer new, cutting-edge solutions around every corner, and they were fantastic about staying in communication. It seemed like we were always able to get ahold of someone, whether it was Tuesday at 1am or Saturday at 7am, someone was quick to respond and help address an emergency or even a simple inquiry. Truly professional service, and quality work.
—Jacob Sowinski, Blue Canvas

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

Wed, 2025-07-16 09:46 — Anonymous (not verified)

Project: File DownloadDate: 2025-July-16Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.9.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-7717Description: The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.
The File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.Solution: Install the latest version:

If you use the File Download module for Drupal 8.x, upgrade to File Download 2.0.1 or File Download 8.x-1.9.

Reported By:

Willem Drupal enthousiast (willempje2)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-089

Search form

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089