DRUPAL-CONTRIB-2025-111

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/reverse_proxy_header/DRUPAL-CONTRIB-2025-111.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-111

Aliases

CVE-2025-10929
GHSA-fg8x-q69g-4qp3

Published

2025-09-24T17:28:05Z

Modified

2025-12-10T23:41:00.367986Z

Summary

[none]

Details

This module allows you to specify an HTTP header name to determine the client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.

References

https://www.drupal.org/sa-contrib-2025-111

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/reverse_proxy_header

Package

Name: drupal/reverse_proxy_header
Purl: pkg:composer/drupal/reverse_proxy_header

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.2

Database specific

{
    "constraint": "<1.1.2"
}

Database specific

affected_versions

"<1.1.2"