{"id":"DRUPAL-CONTRIB-2025-111","details":"This module allows you to specify an HTTP header name to determine the client's IP address.\n\nThe module doesn't sufficiently handle all cases under the scenario if Drupal Core settings `$settings['reverse_proxy']` is set to TRUE and `$settings['reverse_proxy_addresses']` is configured.\n\nThis vulnerability allows an attacker to spoof a request IP address (as Drupal sees it), potentially bypassing a variety of controls.","aliases":["CVE-2025-10929","GHSA-fg8x-q69g-4qp3"],"modified":"2025-12-10T23:41:00.367986Z","published":"2025-09-24T17:28:05Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2025-111"}],"affected":[{"package":{"name":"drupal/reverse_proxy_header","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/reverse_proxy_header"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.2"}],"database_specific":{"constraint":"\u003c1.1.2"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/reverse_proxy_header/DRUPAL-CONTRIB-2025-111.json","affected_versions":"\u003c1.1.2"}}],"schema_version":"1.7.3","credits":[{"name":"Pierre Rudloff (prudloff)","contact":["https://www.drupal.org/u/prudloff"]}]}