Skip to main content

libsoup CVE-2025-14523

HIGH
HTTP Request/Response Smuggling (CWE-444)
2025-12-11 secalert@redhat.com
8.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
8.2 HIGH

Remote, unauthenticated, low-complexity Host-header smuggling with high integrity impact (access-control bypass) and limited confidentiality exposure; no availability impact and scope unchanged within the parsing component.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 02:30 vuln.today

DescriptionCVE.org

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

AnalysisAI

HTTP request smuggling in libsoup, GNOME's HTTP client/server library, lets remote unauthenticated attackers exploit inconsistent Host header parsing: libsoup accepts multiple Host: headers and processes the last occurrence, while common front-end proxies honor the first. Supplying duplicate Host headers creates a proxy/backend mismatch enabling vhost confusion, request smuggling, cache poisoning, and bypass of host-based access controls. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Red Hat has shipped fixes across numerous products (15 RHSA errata).

Technical ContextAI

libsoup is the GTK/GNOME HTTP library used by GNOME desktop applications and services on Linux, and it can act as an HTTP server. The root cause maps to CWE-444 (Inconsistent Interpretation of HTTP Requests / request smuggling): when a request contains more than one Host: header, libsoup forwards the last occurrence to server-side processing instead of rejecting the malformed message. Per RFC 7230 a request with multiple Host headers should be rejected; because intermediary proxies frequently honor the first Host header, the two ends of the connection disagree on the intended virtual host. That parsing discrepancy is the classic precondition for HTTP desync attacks, allowing a request the proxy routes to one backend/vhost to be interpreted by libsoup as belonging to another.

Affected ProductsAI

The affected product is libsoup, GNOME's HTTP library, as shipped in Red Hat Enterprise Linux and related products. No exact upstream fixed version or CPE range was provided in the input, but Red Hat has published an extensive set of advisories covering the affected packages: RHSA-2026:0421, RHSA-2026:0422, RHSA-2026:0423, RHSA-2026:0836, RHSA-2026:0867, RHSA-2026:0868, RHSA-2026:0905, RHSA-2026:0906, RHSA-2026:0907, RHSA-2026:0908, RHSA-2026:0909, RHSA-2026:0911, RHSA-2026:0925, RHSA-2026:1509, and RHSA-2026:1569 (all under https://access.redhat.com/errata/). The breadth of these errata indicates multiple libsoup-consuming product streams are impacted; consult the specific RHSA matching your platform for the exact fixed package version.

RemediationAI

Patch available per vendor advisory: apply the libsoup updates from the relevant Red Hat erratum for your platform (for example https://access.redhat.com/errata/RHSA-2026:0421 and the related RHSA-2026:0422/0423/0836/0867/0868/0905-0911/0925/1509/1569), then restart or rebuild applications that link libsoup so the patched library is loaded. No exact upstream fixed version number was included in the input, so confirm the precise fixed package version from the RHSA that matches your release rather than assuming one. As a compensating control where immediate patching is not possible, harden the front-end proxy to reject any request containing more than one Host header and to normalize/canonicalize Host before forwarding, which closes the parser-disagreement gap; the trade-off is that strict rejection may break non-compliant clients. Also ensure the proxy and libsoup agree on Host handling and avoid relying solely on host-based access controls at the backend, since those are the specific controls this flaw can bypass.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Affected
Container suse/sl-micro/6.0/toolbox:latest Affected
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed

Share

CVE-2025-14523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy