CVE-2025-46421

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

References

Affected packages

Debian:11 / libsoup2.4

Package

Name: libsoup2.4
Purl: pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.72.0-2

2.72.0-2+deb11u1

2.72.0-2+deb11u2

2.72.0-3

2.72.0-4

2.74.0-1

2.74.0-2

2.74.0-3

2.74.1-1

2.74.2-1

2.74.2-2

2.74.2-3

2.74.3-1

2.74.3-2

2.74.3-3

2.74.3-3.1~exp1

2.74.3-3.1~exp2

2.74.3-3.1~exp3

2.74.3-5

2.74.3-6

2.74.3-7

2.74.3-8

2.74.3-8.1

2.74.3-9

2.74.3-10

2.74.3-10.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libsoup2.4

Package

Name: libsoup2.4
Purl: pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.74.3-1

2.74.3-1+deb12u1

2.74.3-2

2.74.3-3

2.74.3-3.1~exp1

2.74.3-3.1~exp2

2.74.3-3.1~exp3

2.74.3-5

2.74.3-6

2.74.3-7

2.74.3-8

2.74.3-8.1

2.74.3-9

2.74.3-10

2.74.3-10.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libsoup2.4

Package

Name: libsoup2.4
Purl: pkg:deb/debian/libsoup2.4?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.74.3-1

2.74.3-2

2.74.3-3

2.74.3-3.1~exp1

2.74.3-3.1~exp2

2.74.3-3.1~exp3

2.74.3-5

2.74.3-6

2.74.3-7

2.74.3-8

2.74.3-8.1

2.74.3-9

2.74.3-10

2.74.3-10.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libsoup3

Package

Name: libsoup3
Purl: pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.2-2

3.3.1-1

3.4.0-1

3.4.1-1

3.4.2-1

3.4.2-2

3.4.2-3

3.4.2-4

3.4.3-1

3.4.4-1

3.4.4-2

3.4.4-3

3.4.4-4

3.4.4-5

3.5.2-1

3.6.0-1

3.6.0-2

3.6.0-3

3.6.0-4

3.6.1-1

3.6.4-1

3.6.4-2

3.6.4-3

3.6.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libsoup3

Package

Name: libsoup3
Purl: pkg:deb/debian/libsoup3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.5-1

Affected versions

3.*

3.2.2-2

3.3.1-1

3.4.0-1

3.4.1-1

3.4.2-1

3.4.2-2

3.4.2-3

3.4.2-4

3.4.3-1

3.4.4-1

3.4.4-2

3.4.4-3

3.4.4-4

3.4.4-5

3.5.2-1

3.6.0-1

3.6.0-2

3.6.0-3

3.6.0-4

3.6.1-1

3.6.4-1

3.6.4-2

3.6.4-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}