Miggo Logo
Miggo Vulnerability Database
CVE-2025-10929

CVE-2025-10929: Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-10929
GHSA ID
GHSA-fg8x-q69g-4qp3
EPSS Score
0.18114%
CWE
CWE-1288
Published
10/30/2025
Updated
10/30/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/reverse_proxy_headercomposer< 1.1.21.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the reverse_proxy_header Drupal module, which is designed to help Drupal identify the true client IP address when operating behind a reverse proxy. The core of the vulnerability lies in two functions: reverse_proxy_header_boot in reverse_proxy_header.module and onKernelRequest in src/EventSubscriber/ReverseProxyHeaderSubscriber.php. Both functions were responsible for reading an IP address from a configured HTTP header (e.g., X-Forwarded-For) and setting it as the client's remote address (REMOTE_ADDR).

The flaw was that this operation was performed without proper validation. Specifically, the code did not check if the request was coming from a trusted reverse proxy. As a result, an attacker could send a request directly to the web server (or through a trusted proxy that allows passing arbitrary headers) with a forged header, effectively spoofing their IP address. This could allow them to bypass IP-based restrictions, such as access control lists or rate limiting.

The patch addresses this by introducing a check using $request->isFromTrustedProxy(). With the fix, the module will only use the IP from the header if the request does not come from a trusted proxy, or if a new setting $settings['reverse_proxy_header_trusted_addresses_ignore'] is explicitly set to TRUE. This ensures that the IP address is only rewritten in environments where it is safe to do so, preventing the IP spoofing vulnerability.

Vulnerable functions

reverse_proxy_header_boot
reverse_proxy_header.module
The function `reverse_proxy_header_boot` in `reverse_proxy_header.module` unconditionally trusted the HTTP header specified in the `reverse_proxy_header` setting to determine the client's IP address. When Drupal is configured with a reverse proxy, this allows an attacker to spoof their IP address by sending a request with a forged header, potentially bypassing IP-based access restrictions. The vulnerability lies in the lack of validation to ensure that the request is not coming from a trusted proxy before overwriting the `REMOTE_ADDR`.
Drupal\reverse_proxy_header\EventSubscriber\ReverseProxyHeaderSubscriber::onKernelRequest
src/EventSubscriber/ReverseProxyHeaderSubscriber.php
The `onKernelRequest` method within the `ReverseProxyHeaderSubscriber` class unconditionally trusted the HTTP header specified in the `reverse_proxy_header` setting. This allowed an attacker to spoof their IP address by forging the header value, even when the request is forwarded by a trusted reverse proxy. This could lead to bypassing security controls that rely on the client's IP address. The function was vulnerable because it did not check if the request was from a trusted proxy before modifying the `REMOTE_ADDR`.

WAF Protection Rules

WAF Rule

Improp*r V*li**tion o* *onsist*n*y wit*in Input vuln*r**ility in *rup*l R*v*rs* Proxy *****r *llows M*nipul*tin* Us*r-*ontroll** V*ri**l*s. T*is issu* *****ts R*v*rs* Proxy *****r: *rom *.*.* ***or* *.*.*.

Reasoning

T** vuln*r**ility *xists in t** `r*v*rs*_proxy_*****r` *rup*l mo*ul*, w*i** is **si*n** to **lp *rup*l i**nti*y t** tru* *li*nt IP ***r*ss w**n op*r*tin* ***in* * r*v*rs* proxy. T** *or* o* t** vuln*r**ility li*s in two *un*tions: `r*v*rs*_proxy_****