View online: https://www.drupal.org/sa-contrib-2025-047
Project: Restrict route by IP [1] Date: 2025-May-07 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery
Affected versions: <1.3.0 CVE IDs: CVE-2025-47701 Description: The Restrict route by IP module provides an interface to manage route restriction by IP address.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that you need to know the route machine name.
Solution: Install the latest version:
* If you use the restrict_route_by_ip module for Drupal 10.x or 11.x, upgrade to restrict_route_by_ip 1.3.0 [3]
Reported By: * Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By: * lozbes [5]
Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/restrict_route_by_ip [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/restrict_route_by_ip/releases/1.3.0 [4] https://www.drupal.org/u/poker10 [5] https://www.drupal.org/u/lozbes [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10