Skip to main content

WebKitGTK and WPE WebKit CVE-2025-66286

| EUVDEUVD-2025-209565 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-23 redhat GHSA-qx86-g93j-m25r
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Patch released
Apr 27, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 13:15 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 12:45 euvd
EUVD-2025-209565
Analysis Generated
Apr 23, 2026 - 12:45 vuln.today
CVE Published
Apr 23, 2026 - 12:33 nvd
MEDIUM 4.7

DescriptionCVE.org

An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

AnalysisAI

WebKitGTK and WPE WebKit contain an API design flaw that allows untrusted web content to bypass the WebPage::send-request signal handler and perform unapproved network operations including IP connections, DNS lookups, and HTTP requests. The vulnerability affects applications across Red Hat Enterprise Linux 6-9 that rely on this signal to control network access. A remote attacker can trigger these bypassed requests via crafted web content with only user interaction (UI:R), resulting in limited confidentiality impact (C:L) without code execution.

Technical ContextAI

WebKitGTK and WPE WebKit are rendering engines used in many Linux-based applications. They expose a WebPage::send-request signal handler that applications use to implement network request filtering-a critical security boundary for controlling what external resources an application may access. The vulnerability stems from a CWE-639 (Authorization Bypass Through User-Controlled Key) flaw where certain categories of HTTP requests are designed to bypass this authorization check. The specific request types that circumvent the signal handler are not detailed in available references, but the flaw appears architectural rather than a simple implementation bug. This affects all WebKitGTK and WPE WebKit releases across Red Hat Enterprise Linux versions 6, 7, 8, and 9 that include the vulnerable code path.

RemediationAI

Apply security updates from Red Hat for all affected RHEL versions (6, 7, 8, 9). Users should install patched WebKitGTK and WPE WebKit packages via their distribution's package manager (yum, dnf, or apt depending on RHEL variant). Exact patched version numbers should be confirmed from https://access.redhat.com/security/cve/CVE-2025-66286 and https://bugzilla.redhat.com/show_bug.cgi?id=2424652. For applications using WebKitGTK or WPE WebKit, no workaround exists at the application level because the vulnerability is in the underlying library; patching the library is mandatory. As a temporary mitigation, restrict access to untrusted web content or disable web browsing features in affected applications until patches are applied, but this is not a substitute for patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed

Share

CVE-2025-66286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy