[Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

security-news at drupal.org security-news at drupal.org
Wed May 7 17:06:18 UTC 2025


View online: https://www.drupal.org/sa-contrib-2025-047

Project: Restrict route by IP [1]
Date: 2025-May-07
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <1.3.0
CVE IDs: CVE-2025-47701
Description: 
The Restrict route by IP module provides an interface to manage route
restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route
machine name.

Solution: 
Install the latest version:

  * If you use the restrict_route_by_ip module for Drupal 10.x or 11.x,
    upgrade to restrict_route_by_ip 1.3.0 [3]

Reported By: 
  * Juraj Nemec (poker10) [4] of the Drupal Security Team

Fixed By: 
  * lozbes [5]

Coordinated By: 
  * Greg Knaddison (greggles) [6] of the Drupal Security Team
  * Juraj Nemec (poker10) [7] of the Drupal Security Team


[1] https://www.drupal.org/project/restrict_route_by_ip
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/restrict_route_by_ip/releases/1.3.0
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/lozbes
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10



More information about the Security-news mailing list