Security Advisory: ZF2013-04

ZF2013-04: Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress

The Zend\Http\PhpEnvironment\RemoteAddress class provides features around detecting the internet protocol (IP) address for an incoming proxied request via the X-Forwarded-For header, taking into account a provided list of trusted proxy server IPs. Prior to 2.2.5, the class was not taking into account whether or not the IP address contained in PHP's $_SERVER['REMOTE_ADDR'] was in the trusted proxy server list.

The IETF draft specification indicates that if $_SERVER['REMOTE_ADDR'] is not a trusted proxy, it must be considered the originating IP address, and the value of X-Forwarded-For must be disregarded.

Action Taken

We have made the following change to the Zend\Http\PhpEnvironment\RemoteAddress class:

  • If we detect that (a) we will test against proxy servers, and (b) $_SERVER['REMOTE_ADDR'] is not in the list of trusted proxy servers, we now return the value of $_SERVER['REMOTE_ADDR'] immediately, without introspecting the X-Forwarded-For header.


You are only affected by this as an issue if you directly consume one of the following in your code:

  • Zend\Http\PhpEnvironment\RemoteAddress
  • Zend\Session\Validator\RemoteAddr

If you do, we recommend immediately upgrading to version 2.2.5.

Other Information


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2013-10-31

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.