[Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047
security-news at drupal.org
security-news at drupal.org
Wed May 7 17:06:18 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-047
Project: Restrict route by IP [1]
Date: 2025-May-07
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <1.3.0
CVE IDs: CVE-2025-47701
Description:
The Restrict route by IP module provides an interface to manage route
restriction by IP address.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that you need to know the route
machine name.
Solution:
Install the latest version:
* If you use the restrict_route_by_ip module for Drupal 10.x or 11.x,
upgrade to restrict_route_by_ip 1.3.0 [3]
Reported By:
* Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By:
* lozbes [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/restrict_route_by_ip
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/restrict_route_by_ip/releases/1.3.0
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/lozbes
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list