Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Wed, 2025-05-07 10:06 — Anonymous (not verified)

Project: Restrict route by IPDate: 2025-May-07Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <1.3.0CVE IDs: CVE-2025-47701Description: The Restrict route by IP module provides an interface to manage route restriction by IP address.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that you need to know the route machine name.Solution: Install the latest version:

If you use the restrict_route_by_ip module for Drupal 10.x or 11.x, upgrade to restrict_route_by_ip 1.3.0

Reported By:

Juraj Nemec (poker10) of the Drupal Security Team

Fixed By:

lozbes

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-047

Search form

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047