NIXPKGS-2026-0185

GitHub issue published on

Permalink CVE-2025-9901

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 2 months ago by @LeSuisse Activity log

Created automatic suggestion 6 months, 3 weeks ago
@LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 months ago
@LeSuisse accepted 2 months ago
@LeSuisse published on GitHub 2 months ago

Libsoup: improper handling of http vary header in libsoup caching

A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.

References

https://access.redhat.com/security/cve/CVE-2025-9901 x_refsource_REDHATvdb-entry
RHBZ#2392790 issue-trackingx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-9901 x_refsource_REDHATvdb-entry
RHBZ#2392790 issue-trackingx_refsource_REDHAT

Affected products

libsoup

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable -
- nixpkgs-unstable 3.6.5

pkgs.libsoup_2_4