Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0179

NIXPKGS-2026-0179
published on
Permalink CVE-2025-14523
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 months ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @LeSuisse removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Libsoup: libsoup: duplicate host header handling causes host-parsing discrepancy (first- vs last-value wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

References

Affected products

libsoup
  • *
libsoup3
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

Package maintainers

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
Upstream patch:
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/d3db5a6f8f03e1f0133754872877c92c0284c472 (libsoup 2)
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/e5af65cf72ea884f9834c457cb2bc0f528dbf03a