NIXPKGS-2026-0182

GitHub issue published on

Permalink CVE-2025-4945

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 8 months ago
@LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 2 weeks ago
@LeSuisse accepted 3 months, 2 weeks ago
@LeSuisse ignored package libsoup_3 3 months, 2 weeks ago
@LeSuisse published on GitHub 3 months, 2 weeks ago

Libsoup: integer overflow in cookie expiration date handling in libsoup

A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines.

References

https://access.redhat.com/security/cve/CVE-2025-4945 vdb-entryx_refsource_REDHAT
RHBZ#2367175 issue-trackingx_refsource_REDHAT
RHSA-2025:19713 x_refsource_REDHATvendor-advisory
RHSA-2025:19714 x_refsource_REDHATvendor-advisory
RHSA-2025:19720 x_refsource_REDHATvendor-advisory
RHSA-2025:20959 x_refsource_REDHATvendor-advisory
RHSA-2025:21032 x_refsource_REDHATvendor-advisory
RHSA-2025:21655 x_refsource_REDHATvendor-advisory
RHSA-2025:21656 x_refsource_REDHATvendor-advisory
RHSA-2025:21657 x_refsource_REDHATvendor-advisory
RHSA-2025:21664 x_refsource_REDHATvendor-advisory
RHSA-2025:21665 x_refsource_REDHATvendor-advisory
RHSA-2025:21666 x_refsource_REDHATvendor-advisory
RHSA-2025:21772 x_refsource_REDHATvendor-advisory
RHSA-2025:22013 x_refsource_REDHATvendor-advisory

Affected products

libsoup

=<3.6.5
*

libsoup3

Matching in nixpkgs

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 2.74.3

Ignored packages (2)

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 3.6.5

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable -
- nixpkgs-unstable

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
Upstream patch: https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f

Nixpkgs security tracker