CVE-2025-10929

Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

CVSS 5.3 MEDIUMEPSS 0.3%CWE-1288

In short

The Reverse Proxy Header module in Drupal improperly validates headers from reverse proxies, allowing attackers to manipulate user information if they can control the proxy headers. This could lead to unauthorized access or identity spoofing in certain configurations.

Technical detail

The vulnerability stems from insufficient validation of HTTP headers (CWE-1288) passed through a reverse proxy, enabling attackers positioned to control or inject proxy headers to manipulate user-controlled variables. An attacker with network access to inject reverse proxy headers can bypass access controls or spoof user identity, affecting versions prior to 1.1.2.

Summary generated and translated by AI from the official description.

Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables.This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Drupal · Reverse Proxy Header

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.drupal.org/sa-contrib-2025-111