View online: https://www.drupal.org/sa-contrib-2025-111
Project: Reverse Proxy Header [1] Date: 2025-September-24 Security risk: *Less critical* 8 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: <1.1.2 CVE IDs: CVE-2025-10929 Description: This module allows you to specify an HTTP header name to determine the client's IP address.
The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings['reverse_proxy'] is set to TRUE and $settings['reverse_proxy_addresses'] is configured.
This vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.
Solution: To resolve this issue, sites must both upgrade and confirm their settings.
Install the latest 1.1.2 version. [3]
Check your settings: - $settings['reverse_proxy'] (Drupal Core setting); - $settings['reverse_proxy_addresses'] (Drupal Core setting); - $settings['reverse_proxy_header'] (this module setting); - $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module setting introduced in this release).
This security release does not affect your Drupal instance if: - or $settings['reverse_proxy'] is not set or set to FALSE; - or $settings['reverse_proxy_header'] is not set or set to FALSE; - or $settings['reverse_proxy_addresses'] is not set or set to an empty array.
This security release may affect your Drupal instance if: - and $settings['reverse_proxy'] is set to TRUE; - and $settings['reverse_proxy_header'] is set; - and $settings['reverse_proxy_addresses'] is configured. If your configuration meets all three criteria simultaneously, you need to verify how Drupal determines the client IP address.
*How to verify:*
It can be checked by sending a request from a non-trusted proxy/server like: curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`
If Drupal detects the client IP address (for example, at the dblog report), everything works as expected.
If Drupal detects the client IP address as 8.8.8.8, you may need to check your $settings['reverse_proxy_addresses'] and/or review the documentation in the README file about $settings['reverse_proxy_header_trusted_addresses_ignore'].
*Reccomendation:*
Although it is not required to have $settings['reverse_proxy_addresses'] (Drupal Core setting) configured, it's always preferred to do so to improve security.
Reported By: * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team
Fixed By: * Bohdan Artemchuk (bohart) [5] * Drew Webber (mcdruid) [6] of the Drupal Security Team * Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security Team
Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [11]
[1] https://www.drupal.org/project/reverse_proxy_header [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/reverse_proxy_header/releases/1.1.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/bohart [6] https://www.drupal.org/u/mcdruid [7] https://www.drupal.org/u/prudloff [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/prudloff [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....