CVE-2025-9901

NameCVE-2025-9901
DescriptionA flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTP Vary header is ignored when evaluating cached responses. This header ensures that responses vary appropriately based on request headers such as language or authentication. Without this check, cached content can be incorrectly reused across different requests, potentially exposing sensitive user information. While the issue is unlikely to affect everyday desktop use, it could result in confidentiality breaches in proxy or multi-user environments.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1113991, 1113992

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoup2.4 (PTS)bullseye2.72.0-2vulnerable
bullseye (security)2.72.0-2+deb11u2vulnerable
bookworm2.74.3-1+deb12u1vulnerable
sid, trixie2.74.3-10.1vulnerable
libsoup3 (PTS)bookworm3.2.3-0+deb12u2vulnerable
trixie3.6.5-3vulnerable
forky, sid3.6.5-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoup2.4source(unstable)(unfixed)1113992
libsoup3source(unstable)(unfixed)1113991

Notes

[trixie] - libsoup3 <no-dsa> (Minor issue)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
[trixie] - libsoup2.4 <no-dsa> (Minor issue)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
https://gitlab.gnome.org/GNOME/libsoup/-/issues/453
Search for package or bug name: Reporting problems