Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

Vulnerability

Overview CVE-2025-10929 is an improper validation of consistency within input vulnerability in the Drupal Reverse Proxy Header module. The module fails to sufficiently validate the HTTP header used to determine the client's IP address when Drupal Core's reverse proxy settings are enabled. This affects all versions from 0.0.0 before 1.1.2 [1][2].

Exploitation

An attacker can exploit this by sending a crafted HTTP request with a spoofed header (e.g., X-REVERSE-PROXY-HEADER-NAME: 8.8.8.8) to a site that has $settings['reverse_proxy'] set to TRUE, $settings['reverse_proxy_header'] configured, and $settings['reverse_proxy_addresses'] populated. No authentication is required, and the attack is performed over the network [2].

Impact

Successful exploitation allows an attacker to spoof the client IP address as seen by Drupal. This can bypass access controls, rate limiting, or other security mechanisms that rely on the client's IP address, potentially leading to unauthorized access or actions [2].

Mitigation

The vulnerability is fixed in version 1.1.2 of the module. Sites must upgrade to this version and verify their Drupal Core reverse proxy settings. The module also introduces a new setting $settings['reverse_proxy_header_trusted_addresses_ignore'] to help administrators configure trusted proxies correctly. Sites that do not have reverse proxy enabled are not affected [2].