Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

Project:

Date:

2025-May-07

Security risk:

Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Request Forgery

Affected versions:

<1.3.0

CVE IDs:

CVE-2025-47701

Description:

The Restrict route by IP module provides an interface to manage route restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route machine name.

Solution:

Install the latest version:

If you use the restrict_route_by_ip module for Drupal 10.x or 11.x, upgrade to restrict_route_by_ip 1.3.0

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.