WebKitGTK and WPE WebKit CVE-2025-66286

| EUVD-2025-209565 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-23 redhat GHSA-qx86-g93j-m25r
Apple Authentication Bypass Redhat Suse
4.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 13:15 vuln.today

DescriptionNVD

An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.

AnalysisAI

WebKitGTK and WPE WebKit contain an API design flaw that allows untrusted web content to bypass the WebPage::send-request signal handler and perform unapproved network operations including IP connections, DNS lookups, and HTTP requests. The vulnerability affects applications across Red Hat Enterprise Linux 6-9 that rely on this signal to control network access. A remote attacker can trigger these bypassed requests via crafted web content with only user interaction (UI:R), resulting in limited confidentiality impact (C:L) without code execution.

Technical ContextAI

WebKitGTK and WPE WebKit are rendering engines used in many Linux-based applications. They expose a WebPage::send-request signal handler that applications use to implement network request filtering-a critical security boundary for controlling what external resources an application may access. The vulnerability stems from a CWE-639 (Authorization Bypass Through User-Controlled Key) flaw where certain categories of HTTP requests are designed to bypass this authorization check. The specific request types that circumvent the signal handler are not detailed in available references, but the flaw appears architectural rather than a simple implementation bug. This affects all WebKitGTK and WPE WebKit releases across Red Hat Enterprise Linux versions 6, 7, 8, and 9 that include the vulnerable code path.

RemediationAI

Apply security updates from Red Hat for all affected RHEL versions (6, 7, 8, 9). Users should install patched WebKitGTK and WPE WebKit packages via their distribution's package manager (yum, dnf, or apt depending on RHEL variant). Exact patched version numbers should be confirmed from https://access.redhat.com/security/cve/CVE-2025-66286 and https://bugzilla.redhat.com/show_bug.cgi?id=2424652. For applications using WebKitGTK or WPE WebKit, no workaround exists at the application level because the vulnerability is in the underlying library; patching the library is mandatory. As a temporary mitigation, restrict access to untrusted web content or disable web browsing features in affected applications until patches are applied, but this is not a substitute for patching.

Vendor StatusVendor

Share

CVE-2025-66286 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy