[Security-news] Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111
security-news at drupal.org
security-news at drupal.org
Wed Sep 24 17:28:06 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-111
Project: Reverse Proxy Header [1]
Date: 2025-September-24
Security risk: *Less critical* 8 ∕ 25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.1.2
CVE IDs: CVE-2025-10929
Description:
This module allows you to specify an HTTP header name to determine the
client's IP address.
The module doesn't sufficiently handle all cases under the scenario if Drupal
Core settings $settings['reverse_proxy'] is set to TRUE and
$settings['reverse_proxy_addresses'] is configured.
This vulnerability allows an attacker to spoof a request IP address (as
Drupal sees it), potentially bypassing a variety of controls.
Solution:
To resolve this issue, sites must both upgrade and confirm their settings.
Install the latest 1.1.2 version. [3]
Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module
setting introduced in this release).
This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty
array.
This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to
verify how Drupal determines the client IP address.
*How to verify:*
It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`
If Drupal detects the client IP address (for example, at the dblog report),
everything works as expected.
If Drupal detects the client IP address as 8.8.8.8, you may need to check
your $settings['reverse_proxy_addresses'] and/or review the documentation in
the README file about
$settings['reverse_proxy_header_trusted_addresses_ignore'].
*Reccomendation:*
Although it is not required to have $settings['reverse_proxy_addresses']
(Drupal Core setting) configured, it's always preferred to do so to improve
security.
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Bohdan Artemchuk (bohart) [5]
* Drew Webber (mcdruid) [6] of the Drupal Security Team
* Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security
Team
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security
Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/reverse_proxy_header
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/reverse_proxy_header/releases/1.1.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/bohart
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/prudloff
[11]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548500
More information about the Security-news
mailing list