Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2025-4476

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 6 months, 3 weeks ago

Libsoup: null pointer dereference in libsoup may lead to denial of service

A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server.

References

https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-4476 x_refsource_REDHATvdb-entry
RHBZ#2366513 issue-trackingx_refsource_REDHAT

Affected products

libsoup

<3.6.6

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 2.74.3

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable -
- nixpkgs-unstable

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@bobby285271 Bobby Rong <rjl931189261@126.com>