NIXPKGS-2026-0179

GitHub issue published on

Permalink CVE-2025-14523

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 3 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months ago
@LeSuisse ignored package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 3 months, 2 weeks ago
@LeSuisse accepted 3 months, 2 weeks ago
@LeSuisse published on GitHub 3 months, 2 weeks ago

Libsoup: libsoup: duplicate host header handling causes host-parsing discrepancy (first- vs last-value wins)

A flaw in libsoup’s HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

References

https://access.redhat.com/security/cve/CVE-2025-14523 vdb-entryx_refsource_REDHAT
RHBZ#2421349 issue-trackingx_refsource_REDHAT
RHSA-2026:0421 x_refsource_REDHATvendor-advisory
RHSA-2026:0422 x_refsource_REDHATvendor-advisory
RHSA-2026:0423 x_refsource_REDHATvendor-advisory
RHSA-2026:0836 x_refsource_REDHATvendor-advisory
RHSA-2026:0867 x_refsource_REDHATvendor-advisory
RHSA-2026:0868 x_refsource_REDHATvendor-advisory
RHSA-2026:0905 x_refsource_REDHATvendor-advisory
RHSA-2026:0906 x_refsource_REDHATvendor-advisory
RHSA-2026:0907 x_refsource_REDHATvendor-advisory
RHSA-2026:0908 x_refsource_REDHATvendor-advisory
RHSA-2026:0909 x_refsource_REDHATvendor-advisory
RHSA-2026:0911 x_refsource_REDHATvendor-advisory
RHSA-2026:0925 x_refsource_REDHATvendor-advisory
RHSA-2026:1509 x_refsource_REDHATvendor-advisory
RHSA-2026:1569 x_refsource_REDHATvendor-advisory
RHSA-2026:1570 x_refsource_REDHATvendor-advisory
RHSA-2026:1571 x_refsource_REDHATvendor-advisory
RHSA-2026:1572 x_refsource_REDHATvendor-advisory

Affected products

libsoup

libsoup3

spice-client-win

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5

pkgs.libsoup_2_4

HTTP client/server library for GNOME

nixos-unstable 2.74.3
- nixpkgs-unstable 2.74.3
- nixos-unstable-small 2.74.3

Ignored packages (1)

pkgs.tests.pkg-config.defaultPkgConfigPackages.%22libsoup-gnome-2.4%22

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small

Package maintainers

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@lovek323 Jason O'Conal <jason@oconal.id.au>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@bobby285271 Bobby Rong <rjl931189261@126.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>

Upstream issue: https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
Upstream patch:
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/d3db5a6f8f03e1f0133754872877c92c0284c472 (libsoup 2)
* https://gitlab.gnome.org/GNOME/libsoup/-/commit/e5af65cf72ea884f9834c457cb2bc0f528dbf03a

Nixpkgs security tracker