NIXPKGS-2026-0182

GitHub issue published on 7 Feb 2026

Permalink CVE-2025-4945

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 5 months ago
@LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 weeks ago
@LeSuisse accepted 2 weeks ago
@LeSuisse removed package libsoup_3 2 weeks ago
@LeSuisse published on GitHub 2 weeks ago

Libsoup: integer overflow in cookie expiration date handling in libsoup

A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.

Affected products

libsoup

=<3.6.5
*

libsoup3

Matching in nixpkgs

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 2.74.3

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@bobby285271 Bobby Rong <rjl931189261@126.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
Upstream patch: https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0182

Affected products

Matching in nixpkgs

pkgs.libsoup_2_4

Package maintainers