Nixpkgs security tracker
Untriaged
Permalink
CVE-2025-66286
4.7 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Webkitgtk: authorization bypass through webpage::send-request signal handler
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
References
Affected products
webkitgtk
webkitgtk3
webkitgtk4
webkit2gtk3
Matching in nixpkgs
pkgs.webkitgtk_4_1
Web content rendering engine, GTK port
-
nixos-unstable 2.52.2+abi=4.1
- nixpkgs-unstable 2.52.2+abi=4.1
- nixos-unstable-small 2.52.3+abi=4.1
-
nixos-25.11 2.52.3+abi=4.1
- nixos-25.11-small 2.52.3+abi=4.1
- nixpkgs-25.11-darwin 2.52.3+abi=4.1
pkgs.webkitgtk_6_0
Web content rendering engine, GTK port
-
nixos-unstable 2.52.2+abi=6.0
- nixpkgs-unstable 2.52.2+abi=6.0
- nixos-unstable-small 2.52.3+abi=6.0
-
nixos-25.11 2.52.3+abi=6.0
- nixos-25.11-small 2.52.3+abi=6.0
- nixpkgs-25.11-darwin 2.52.3+abi=6.0
Package maintainers
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
-
@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
-
@jtojnar Jan Tojnar <jtojnar@gmail.com>