CVE-2025-4035

NameCVE-2025-4035
DescriptionA flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104414, 1104415

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoup2.4 (PTS)bullseye2.72.0-2vulnerable
bullseye (security)2.72.0-2+deb11u2vulnerable
bookworm2.74.3-1+deb12u1vulnerable
forky, sid, trixie2.74.3-10.1vulnerable
libsoup3 (PTS)bookworm3.2.3-0+deb12u2vulnerable
trixie3.6.5-3vulnerable
forky, sid3.6.5-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoup2.4source(unstable)(unfixed)1104415
libsoup3source(unstable)(unfixed)1104414

Notes

[trixie] - libsoup3 <no-dsa> (Minor issue)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
[trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2362651
https://gitlab.gnome.org/GNOME/libsoup/-/issues/443
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/448
Search for package or bug name: Reporting problems