NIXPKGS-2026-0180

GitHub issue published on 7 Feb 2026

Permalink CVE-2025-11021

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 months ago
@LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 weeks ago
@LeSuisse accepted 2 weeks ago
@LeSuisse published on GitHub 2 weeks ago

Libsoup: out-of-bounds read in cookie date handling of libsoup http library

A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. When processing cookies with specially crafted expiration dates, the library may perform an out-of-bounds memory read. This flaw could result in unintended disclosure of memory contents, potentially exposing sensitive information from the process using libsoup.

Affected products

libsoup

=<3.6.5
*

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

Package maintainers

@bobby285271 Bobby Rong <rjl931189261@126.com>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/459
Upstream patch: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0180

Affected products

Matching in nixpkgs

pkgs.libsoup_3

pkgs.libsoup_2_4

Package maintainers