The CakePHP core team is happy to announce the immediate availability of CakePHP 2.6.13, 2.7.11, 2.8.2, 3.0.17, 3.1.12, and 3.2.5. These releases contain security fixes. 3.2.5 and 2.8.2 also contain bugfixes.

Security Fixes

These releases contain fixes for arbitrary address spoofing when using the clientIp() method of the request object. Previously, this method would use the HTTP_CLIENT_IP header which can be spoofed easily. If you are using this method as a source of trusted data we recommend you upgrade. We’d like to thank the independent security researcher Dawid Golunski for discovering this vulnerability in CakePHP which was reported to us by Beyond Security’s SecuriTeam Secure Disclosure program.