Platform
drupal
Component
drupal
Fixed in
9.3.13
10.0.2
11.0.1
9.3.14
CVE-2025-14840 describes an Improper Check for Unusual or Exceptional Conditions vulnerability within the Drupal HTTP Client Manager. This flaw enables Forceful Browsing, potentially allowing attackers to navigate to unintended URLs and access sensitive resources. The vulnerability impacts Drupal Core versions 10.0.0 through 10.0.2, and 11.0.0. A fix is available in Drupal 11.0.1 and later.
The Forceful Browsing vulnerability allows an attacker to manipulate the HTTP Client Manager to redirect requests to arbitrary URLs. This can lead to unauthorized access to internal resources, sensitive data exposure, and potential privilege escalation if the attacker can leverage the redirected requests to interact with other parts of the Drupal application. An attacker could potentially bypass access controls and gain access to administrative functions or data that they should not be able to see. The blast radius extends to any data accessible through the HTTP Client Manager, which could include user data, configuration files, and internal API endpoints.
CVE-2025-14840 was published on 2026-01-28. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. This vulnerability highlights the importance of regularly updating Drupal Core and its modules to address security vulnerabilities promptly.
Exploit Status
EPSS
0.06% (19% percentile)
CVSS Vector
The primary mitigation for CVE-2025-14840 is to upgrade Drupal Core to version 11.0.1 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the HTTP Client Manager functionality or implementing stricter URL validation on incoming requests. Review and audit any custom modules or code that interacts with the HTTP Client Manager to ensure they are not vulnerable to similar attacks. After upgrading, confirm the fix by attempting to trigger the Forceful Browsing vulnerability and verifying that the request is properly blocked.
Update the HTTP Client Manager module to version 9.3.13 or higher, 10.0.2 or higher, or 11.0.1 or higher. This will correct the improper check for unusual or exceptional conditions vulnerability that allows forceful browsing.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14840 is a HIGH severity vulnerability in Drupal Core allowing Forceful Browsing via the HTTP Client Manager, potentially exposing sensitive data.
You are affected if you are using Drupal Core versions 10.0.0–10.0.2 or 11.0.0. Upgrade to Drupal 11.0.1 or later to mitigate the risk.
Upgrade Drupal Core to version 11.0.1 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the HTTP Client Manager.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2025-14840.
Refer to the official Drupal security advisory at [https://www.drupal.org/security/advisories/cve-2025-14840](https://www.drupal.org/security/advisories/cve-2025-14840) for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.