NIXPKGS-2026-0179

GitHub issue published on 7 Feb 2026

Permalink CVE-2025-14523

updated 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 weeks ago
@LeSuisse accepted 2 weeks ago
@LeSuisse published on GitHub 2 weeks ago

Libsoup: libsoup: duplicate host header handling causes host-parsing discrepancy (first- vs last-value wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

Affected products

libsoup

libsoup3

spice-client-win

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

Package maintainers

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
Upstream patch:
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/d3db5a6f8f03e1f0133754872877c92c0284c472 (libsoup 2)
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/e5af65cf72ea884f9834c457cb2bc0f528dbf03a

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0179

Affected products

Matching in nixpkgs

pkgs.libsoup_3

pkgs.libsoup_2_4

Package maintainers