Plattform
drupal
Komponente
drupal
Behoben in
9.3.13
10.0.2
11.0.1
9.3.14
CVE-2025-14840 describes an Improper Check for Unusual or Exceptional Conditions vulnerability within the Drupal HTTP Client Manager. This flaw enables Forceful Browsing, potentially allowing attackers to navigate to unintended URLs and access sensitive resources. The vulnerability impacts Drupal Core versions 10.0.0 through 10.0.2, and 11.0.0. A fix is available in Drupal 11.0.1 and later.
The forceful browsing vulnerability allows an attacker to manipulate HTTP requests to redirect the user to arbitrary URLs. This can be exploited to access sensitive information or perform actions on behalf of the user without their knowledge. An attacker could potentially bypass access controls and gain unauthorized access to internal resources. The blast radius is limited to the Drupal site itself, but the potential for information disclosure and unauthorized actions makes this a significant concern. This type of attack can be particularly dangerous if the Drupal site is used to manage sensitive data or provide access to critical systems.
CVE-2025-14840 was published on 2026-01-28. The vulnerability's exploitation probability is currently unknown. No public exploits or active campaigns targeting this vulnerability have been reported at the time of publication. Monitor security advisories and threat intelligence feeds for any updates.
Organizations and individuals using Drupal Core versions 10.0.0–10.0.2 and 11.0.0 are at risk. This includes websites, applications, and services built on Drupal that rely on the HTTP Client Manager for external communication. Shared hosting environments utilizing these vulnerable Drupal versions are particularly susceptible.
• drupal: Check Drupal core version using drush --version. If the version is within the affected range (10.0.0–10.0.2 or 11.0.0), investigate further.
• drupal: Examine Drupal logs (sites/[site]/logs/drupal.log) for unusual HTTP requests or redirects.
• generic web: Use curl to test for potential URL redirection vulnerabilities. For example: curl -v https://[yourdrupalsite]/path/to/vulnerable/endpoint and examine the response headers.
• generic web: Review access logs for suspicious patterns of requests to internal or unexpected URLs.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-14840 is to upgrade Drupal Core to a patched version. Drupal recommends upgrading to version 10.0.2 or later. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block suspicious HTTP requests that attempt to manipulate URLs. Carefully review and restrict allowed HTTP methods and destinations within the HTTP Client Manager configuration. After upgrading, confirm the fix by attempting to navigate to an arbitrary URL through the Drupal interface and verifying that the redirection is blocked.
Actualice el módulo HTTP Client Manager a la versión 9.3.13 o superior, 10.0.2 o superior, o 11.0.1 o superior. Esto corregirá la vulnerabilidad de comprobación incorrecta de condiciones inusuales o excepcionales que permite la navegación forzada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14840 is a HIGH severity vulnerability in Drupal Core allowing Forceful Browsing via the HTTP Client Manager, potentially exposing sensitive data.
You are affected if you are using Drupal Core versions 10.0.0–10.0.2 or 11.0.0. Upgrade to Drupal 11.0.1 or later to mitigate the risk.
Upgrade Drupal Core to version 11.0.1 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the HTTP Client Manager.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-14840.
Refer to the official Drupal security advisory at [https://www.drupal.org/security/advisories/cve-2025-14840](https://www.drupal.org/security/advisories/cve-2025-14840) for detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.