Skip to main content

libsoup CVE-2025-32914

HIGH
Out-of-bounds Read (CWE-125)
2025-04-14 secalert@redhat.com
7.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 22, 2026 - 11:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 11:22 vuln.today
cvss_changed
Patch released
Apr 05, 2026 - 20:30 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:36 vuln.today
CVE Published
Apr 14, 2025 - 15:15 nvd
HIGH 7.4

DescriptionCVE.org

A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.

AnalysisAI

Out-of-bounds read in libsoup's soup_multipart_new_from_message() function allows remote attackers to disclose sensitive memory contents and potentially crash server applications. Malicious HTTP clients can trigger this memory safety flaw (CWE-125) by sending crafted multipart messages to libsoup-based servers, affecting Red Hat Enterprise Linux distributions and Debian systems. With EPSS at 0.52% (67th percentile) and no confirmed active exploitation, this represents moderate real-world risk requiring assessment of deployment exposure to untrusted HTTP clients.

Technical ContextAI

libsoup is a GNOME HTTP client/server library written in C, widely used by Linux desktop applications and server components for HTTP/HTTPS communication and REST API interactions. The vulnerability resides in soup_multipart_new_from_message(), a function that parses multipart MIME messages (commonly used for file uploads and form data). CWE-125 (Out-of-bounds Read) indicates insufficient boundary validation when processing multipart message boundaries or headers, allowing reads beyond allocated buffer regions. This can leak adjacent memory contents (information disclosure) or cause segmentation faults (denial of service). The vulnerability affects the server-side parsing path, meaning applications using libsoup to receive HTTP requests are vulnerable, not HTTP clients. Red Hat's extensive RHSA coverage across RHEL 8, 9, and derivative products indicates widespread deployment in enterprise Linux environments. The network attack vector (AV:N) with high attack complexity (AC:H) suggests exploitation requires precise crafting of malformed multipart messages to trigger the boundary condition.

Affected ProductsAI

libsoup library versions prior to vendor-patched releases distributed through Red Hat Enterprise Linux 8.x and 9.x (covered by RHSA-2025:7505, RHSA-2025:8126, RHSA-2025:8132, RHSA-2025:8139, RHSA-2025:8140, RHSA-2025:8252, RHSA-2025:8480, RHSA-2025:8481, RHSA-2025:8482, RHSA-2025:8663, RHSA-2025:9179, RHSA-2025:21657) and Debian LTS systems (covered in debian-lts-announce 2025/04/msg00036). Specific vulnerable libsoup versions not disclosed in available advisories, but all unpatched installations using libsoup for server-side HTTP multipart processing are affected. Red Hat Security Advisory https://access.redhat.com/security/cve/CVE-2025-32914 provides centralized tracking. Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2359358 contains additional technical details.

RemediationAI

Apply vendor-provided patches immediately for systems exposed to untrusted HTTP clients. Red Hat customers should install updates per applicable RHSA advisories for their RHEL version: RHEL 8 users apply RHSA-2025:8126/8132/8139/8140, RHEL 9 users apply RHSA-2025:7505/8252/8480/8481/8482/8663/9179/21657 via yum/dnf update libsoup. Debian LTS users should follow guidance at https://lists.debian.org/debian-lts-announce/2025/04/msg00036.html. Verify patched versions with rpm -q libsoup or dpkg -l libsoup after update. For systems where immediate patching is not feasible, implement compensating controls: (1) restrict HTTP server exposure to trusted networks only via firewall rules, eliminating remote attack vector (trade-off: breaks legitimate external access), (2) disable multipart MIME processing in application configurations if not business-critical (trade-off: breaks file upload functionality), (3) deploy web application firewall with strict multipart message size and structure validation (trade-off: may cause false positives on legitimate uploads, requires tuning). These mitigations reduce attack surface but do not eliminate the vulnerability. Monitor application logs for parsing errors or crashes in multipart handling as potential exploitation indicators. No workaround eliminates the vulnerability; patching is the definitive fix.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Affected
Container suse/sl-micro/6.0/base-os-container:latest Image SL-Micro Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Affected
Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.62 Affected

Share

CVE-2025-32914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy