CVE-2025-4948

NameCVE-2025-4948
DescriptionA flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1106204, 1106337

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoup2.4 (PTS)bullseye2.72.0-2vulnerable
bullseye (security)2.72.0-2+deb11u2vulnerable
bookworm2.74.3-1+deb12u1vulnerable
sid, trixie2.74.3-10.1vulnerable
libsoup3 (PTS)bookworm3.2.2-2vulnerable
sid, trixie3.6.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoup2.4source(unstable)(unfixed)1106337
libsoup3source(unstable)(unfixed)1106204

Notes

https://gitlab.gnome.org/GNOME/libsoup/-/issues/449
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/463
Search for package or bug name: Reporting problems