View online: https://www.drupal.org/sa-contrib-2025-126
Project: HTTP Client Manager [1] Date: 2025-December-17 Security risk: *Less critical* 8 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Information disclosure
Affected versions: <9.3.13 || >=10.0.0 <10.0.2 || >=11.0.0 <11.0.1 CVE IDs: CVE-2025-14840 Description: Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.
The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.
Solution: Install the latest version:
* If you use the Http Client Manager module 9.3.x, upgrade to Http Client Manager 9.3.13 [3] * If you use the Http Client Manager module 10.0.x, upgrade to Http Client Manager 10.0.2 [4] * If you use the Http Client Manager module 11.0.x, upgrade to Http Client Manager 11.0.1 [5]
Reported By: * mxh [6]
Fixed By: * Adriano Cori (aronne) [7] * mxh [8]
Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [11]
[1] https://www.drupal.org/project/http_client_manager [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/http_client_manager/releases/9.3.13 [4] https://www.drupal.org/project/http_client_manager/releases/10.0.2 [5] https://www.drupal.org/project/http_client_manager/releases/11.0.1 [6] https://www.drupal.org/u/mxh [7] https://www.drupal.org/u/aronne [8] https://www.drupal.org/u/mxh [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10 [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....