CVE-2025-9901
Vulnerability
CVE-2025-9901
libsoup: Improper Handling of HTTP Vary Header in libsoup Caching
ecosystem: redhat:6, redhat:7, redhat:8, redhat:9, redhat:10A flaw was found in libsoupβs caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.
References
- secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2025-9901
- secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2392790
- secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2025-9901
- secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2025-9901
type: vendor
source: secalert@redhat.com
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
| AV | Network | |
|---|---|---|
| AC | High | |
| PR | None | |
| UI | None | |
| S | Not Changed | |
| C | High | |
| I | None | |
| A | None |
source: secalert@redhat.com
Use of Cache Containing Sensitive Information
source: secalert@redhat.com
published: 2025-09-03 00:00:00
modified: 2025-11-21 11:09:15
Detection
redhat-vex
OR
γ
libsoup3
package type: binary
γ
libsoup3-devel
package type: binary
γ
libsoup3-doc
package type: binary
γ
libsoup3
package type: source
tag: rhel-10:d927fec7-2aaa-ffbd-ee12-ef9277d5e9c8
redhat-vex
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-6-els:7cf729e1-4caa-1316-d070-5f07011823b8
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-6-extras-including-unpatched:7cf729e1-4caa-1316-d070-5f07011823b8
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-6-including-unpatched:7cf729e1-4caa-1316-d070-5f07011823b8
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-6-supplementary:7cf729e1-4caa-1316-d070-5f07011823b8
redhat-vex
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-8-including-unpatched:cb9fa898-b85c-12cd-afbf-2a4f72047ce2
redhat-vex
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-7-extras-including-unpatched:8814c35d-6965-1fb9-9d76-6792876a176d
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-7-including-unpatched:8814c35d-6965-1fb9-9d76-6792876a176d
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-7-supplementary:8814c35d-6965-1fb9-9d76-6792876a176d
redhat-vex
OR
γ
libsoup
package type: binary
γ
libsoup-devel
package type: binary
γ
libsoup
package type: source
tag: rhel-9-including-unpatched:cd80fea4-e5e1-35f5-4307-071d865ae347
Data Sources
- RedHat Enterprise Linux CSAF VEX
redhat-vex
