Bug 2423425 (CVE-2025-14840, DRUPAL-CONTRIB-2025-126)

Summary: CVE-2025-14840 drupal: Drupal Http Client Manager: Information disclosure due to insufficient data separation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Drupal Http Client Manager module. This module, which allows administrators to configure HTTP requests, does not adequately separate data from request operations. This oversight could potentially lead to the disclosure of sensitive information under specific, uncommon circumstances.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-17 22:05:55 UTC 
Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.

The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.