NIXPKGS-2026-0185

GitHub issue published on 8 Feb 2026

Permalink CVE-2025-9901

updated 1 week, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 5 months ago
@LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 weeks ago
@LeSuisse accepted 2 weeks ago
@LeSuisse published on GitHub 1 week, 6 days ago

Libsoup: improper handling of http vary header in libsoup caching

A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

Affected products

libsoup

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 2.74.3

Package maintainers

@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@bobby285271 Bobby Rong <rjl931189261@126.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/453

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0185

Affected products

Matching in nixpkgs

pkgs.libsoup_3

pkgs.libsoup_2_4

Package maintainers