CVE-2025-47701
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in Drupal's Restrict route by IP module allows attackers to trick authenticated administrators into performing unauthorized actions. This affects Drupal sites using the Restrict route by IP module to control access to specific routes based on IP addresses. The vulnerability enables attackers to bypass IP-based restrictions through forged requests.
💻 Affected Systems
- Drupal Restrict route by IP module
📦 What is this software?
Restrict Route By Ip by Restrict Route By Ip Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify IP restriction rules, allowing unauthorized access to protected routes, potentially exposing sensitive administrative interfaces or data to external attackers.
Likely Case
Attackers could temporarily disable IP restrictions on specific routes, granting access to users who should be blocked, though this would typically require an authenticated admin to be tricked.
If Mitigated
With proper CSRF protections and admin awareness, the risk is minimal as attacks require social engineering and authenticated admin sessions.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised site while logged in.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.0
Vendor Advisory: https://www.drupal.org/sa-contrib-2025-047
Restart Required: No
Instructions:
1. Update the Restrict route by IP module to version 1.3.0 via Drupal's update manager or Composer. 2. Clear Drupal caches after update. 3. Verify the module version in Extends > Installed modules.
🔧 Temporary Workarounds
Enable CSRF protection headers
allConfigure web server or Drupal to enforce CSRF tokens on all administrative forms
# Configure in Drupal's settings.php or via security modules
Temporary module disable
linuxDisable the Restrict route by IP module if not critically needed
drush pm:disable restrict_route_by_ip
# Or disable via Drupal admin interface
🧯 If You Can't Patch
- Implement network-level IP restrictions for admin interfaces
- Require re-authentication for sensitive configuration changes
🔍 How to Verify
Check if Vulnerable:
Check module version at /admin/modules or via 'drush pm:list | grep restrict_route_by_ip'Check Version:
drush pm:list --fields=name,version | grep restrict_route_by_ipVerify Fix Applied:
Confirm module version is 1.3.0 or higher and test IP restriction functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to IP restriction settings
- Admin actions from unusual IP addresses or user agents
Network Indicators:
- POST requests to restrict route configuration without CSRF tokens
- Admin interface access from unauthorized IPs
SIEM Query:
source="drupal" AND (event_type="config_change" AND module="restrict_route_by_ip")