DRUPAL-CONTRIB-2025-126

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/http_client_manager/DRUPAL-CONTRIB-2025-126.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-126
Published
2025-12-17T17:47:13Z
Modified
2025-12-17T20:37:44.021266Z
Summary
[none]
Details

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.

The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/http_client_manager

Package

Name
drupal/http_client_manager
Purl
pkg:composer/drupal/http_client_manager

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.3.13
Database specific 
{
    "constraint": "<9.3.13"
}
Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.2
Database specific 
{
    "constraint": ">=10.0.0 <10.0.2"
}
Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.1
Database specific 
{
    "constraint": ">=11.0.0 <11.0.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/http_client_manager/DRUPAL-CONTRIB-2025-126.json"

affected_versions

"<9.3.13 || >=10.0.0 <10.0.2 || >=11.0.0 <11.0.1"