Nixpkgs security tracker

Untriaged

Permalink CVE-2025-46421

6.8 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 8 months ago
@LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 2 weeks ago

Libsoup: information disclosure may leads libsoup client sends authorization header to a different host when being redirected by a server

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

References

https://access.redhat.com/security/cve/CVE-2025-46421 vdb-entryx_refsource_REDHAT
RHBZ#2361962 issue-trackingx_refsource_REDHAT
RHSA-2025:4439 x_refsource_REDHATvendor-advisory
RHSA-2025:4440 x_refsource_REDHATvendor-advisory
RHSA-2025:4508 x_refsource_REDHATvendor-advisory
RHSA-2025:4538 x_refsource_REDHATvendor-advisory
RHSA-2025:4560 x_refsource_REDHATvendor-advisory
RHSA-2025:4568 x_refsource_REDHATvendor-advisory
RHSA-2025:4609 x_refsource_REDHATvendor-advisory
RHSA-2025:4624 x_refsource_REDHATvendor-advisory
RHSA-2025:7436 x_refsource_REDHATvendor-advisory
RHSA-2025:7505 x_refsource_REDHATvendor-advisory
https://gitlab.gnome.org/GNOME/libsoup/-/issues/439