diff --git a/CHANGELOG b/CHANGELOG
index 1dc1bdedf3fa48977f9b80b513a137346e650564..c220926239a50237106c324ae95dffef7c6fce88 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,8 +8,9 @@ v 8.11.0 (unreleased)
   - Add GitLab Workhorse version to admin dashboard (Katarzyna Kobierska Ula Budziszewska)
 
 v 8.10.1 (unreleased)
- - Fix bug where replies to commit notes displayed in the MR discussion tab wouldn't show up on the commit page
   - Fix Error 500 when creating Wiki pages with hyphens or spaces
+  - Ignore invalid trusted proxies in X-Forwarded-For header
+  - Fix bug where replies to commit notes displayed in the MR discussion tab wouldn't show up on the commit page
 
 v 8.10.0
   - Fix profile activity heatmap to show correct day name (eanplatter)
diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
index df4a933e22f3aec9aa9a35ec5794b1252705b097..30770b71e24105914e197774aed7528395c3f2ea 100644
--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
@@ -11,6 +11,12 @@ module Rack
   end
 end
 
+gitlab_trusted_proxies = Array(Gitlab.config.gitlab.trusted_proxies).map do |proxy|
+  begin
+    IPAddr.new(proxy)
+  rescue IPAddr::InvalidAddressError
+  end
+end.compact
+
 Rails.application.config.action_dispatch.trusted_proxies = (
-  [ '127.0.0.1', '::1' ] + Array(Gitlab.config.gitlab.trusted_proxies)
-).map { |proxy| IPAddr.new(proxy) }
+  [ '127.0.0.1', '::1' ] + gitlab_trusted_proxies)
diff --git a/spec/initializers/trusted_proxies_spec.rb b/spec/initializers/trusted_proxies_spec.rb
index 14c8df954a6fc7b41a8cf7be7f9f3b8e1e6ef25b..52d5a7dffc91b9e98ea8199c5b256eddaea68adf 100644
--- a/spec/initializers/trusted_proxies_spec.rb
+++ b/spec/initializers/trusted_proxies_spec.rb
@@ -17,6 +17,12 @@ describe 'trusted_proxies', lib: true do
       expect(request.remote_ip).to eq('10.1.5.89')
       expect(request.ip).to eq('10.1.5.89')
     end
+
+    it 'filters out bad values' do
+      request = stub_request('HTTP_X_FORWARDED_FOR' => '(null), 10.1.5.89')
+      expect(request.remote_ip).to eq('10.1.5.89')
+      expect(request.ip).to eq('10.1.5.89')
+    end
   end
 
   context 'with private IP ranges added' do